November  2013  www.csoonline.com  $9.00  BUSINESS  RISK  LEADERSHIP 


I 


■  As  crooks  find  new  ways  to  m 
dip  into  accounts,  victims  are  left 
■9  asking,  Who’s  liable? 


TECH:  In  the  Future,  Malware  Could  Damage 
Bytes,  Bones  and  Brains  e 

RISK:  Managing  Millennial?  Better  Rethink 
That  Social  Media  Policy  14 

LEAD:  6  Tools  No  Security  Awareness 
Program  Can  Succeed  Without  20 


.i::ia:;c»Ji'«<»> 


;S;  Jj 


Ifiifi 

iii 


SjtiiMifSi: 

*1  j*!*!*;*!*!*'; 

g  iSfJfSfP?,  •  .  ti 


1 


ti 


"  y  r 


DEPLOYMENT 


LESS  DOWNTIME 


THE  NUMBERS  ADD  UP. 

VCE  VBLOCK  SYSTEMS 


Focus  on  business,  not  infrastructure.  Vblock  Systems 
are  built  on  the  Cisco  Unified  Computing  System 
with  Intel®  Xeon®  processors,  storage  from  EMC  and 
virtualization  from  VMware.  The  results  speak  for 
themselves  -  more  productivity  with  less  cost. 

Learn  more  at  www.vce.com/roi 


:■  ■  81 

•  I  |  I  I  I  |  I  I 

CISCO 


.  c ■  2013  VCE  Company  ILC.  All  Rights  Reserved.  Vblock  and  the  VCE  logo  are  trademarks  or  registered  trademarks  of  VCE  Company.  LLC  and/or  its  affiliates  in  the  United  States  and  other  countries.  Intel,  the  Intel  logo. 
Xeon  and  Xeon  Inside  are  trademarks  or  registered  trademarks  of  Intel  Corporation  in  the  U  S.  and/or  other  countries.  All  other  trademarks  used  herein  are  the  property  of  their  respective  owners.  Numbers  based  on  IDC 
Whitepaper:  "Convergence  with  Vblock  Systems:  a  Value  Measurement"  September  2013.  Specifications  may  vary  according  to  customer's  requirements.  All  information  is  provided  'as  is'  and  all  warranties  are  disclaimed 


inside" 

XEON 


November  2013  Volume  12,  Number  9 


The  Many 
Faces  of 
Financial 
Fraud 

26  Improvements 
in  payment  protec¬ 
tions  are  shifting  the 
liability— and  the 
bill— for  fraud  to  the 
least-secure  party 

BY  DEB  RADCLIFF 


6  In  the  Future,  Malware  Could 
Damage  Bytes,  Bones  and  Brains 

7  Blackhole  Exploit  Kit  Creator  Arrested 


8  Apple’s  Fingerprint  Authentication  May 
be  Imperfect,  But  It’s  Better  Than  Nothing 

9  Proposal  to  Lock  Down  Whois 
System  Causes  Uproar 

10  IT  Blocks  Apps  Based  on  Popularity,  Not  Risk 

12  Facebook’s  Graph  Search  Is 
a  Gold  Mine  forPhishers 

risk 

14  Managing  Millennial?  Better 
Rethink  That  Social  Media  Policy 


16  Why  Settling  for  Compliance  Increases  Risk 

18  Spear  Phishing  Poses  Threat  to 
Industrial  Control  Systems 

lead 


■  Also  Inside 

2  Editor’s  Letter 
4  Publisher’s  Letter 


20  6  Tools  No  Security  Awareness 
Program  Can  Succeed  Without 

22  Building  the  InfoSec  Team  of  Tomorrow 

24  Cybersecurity  Can’t  Become  a  ‘Profession’ 
Until  It  Stops  Changing  So  Fast,  Report  Finds 

last 

32  6  Ways  Kids  Shirk  Homework 
in  the  Digital  Age 


November  2013  www.csoonline.com  1 


Fighting  Fraud  With  Better  Weapons 

In  early  2007,  TJX  Companies,  the  largest  discount  depart¬ 
ment  store  chain  in  the  U.S.,  announced  its  computer  systems  had 
been  breached— potentially  exposing  the  credit  card  information 
of  what  was  later  determined  to  be  45.7  million  customers. 


The  breach  was  certainly  not  the  first  of  its 
kind.  But  at  the  time,  it  was  the  largest,  and  ar¬ 
guably  the  most  high-profile,  credit-card-data 
breach  to  date.  The  event  led  to  major  credit- 
card-processing  reform  and  prompted  credit  bu¬ 
reaus  to  seek  legislation  requiring  that  retailers 
be  held  responsible  for  compromised  customer 
information  saved  in  their  systems. 

It’s  2013  now.  Despite  reforms,  including 
overhauls  of  compliance  standards  such  as  PCI 
DSS,  the  industry  is  still  battling  to  build  iron¬ 
clad  security  for  financial  records.  In  fact,  just 
this  past  February,  as  CSO  contributor  Deb  Rad- 
cliffe  points  out,  a  New  York-based  organized 
crime  ring  accessed  financial  databases,  stole 
prepaid  debit  card  data,  removed  their  with¬ 
drawal  limits,  cloned  new  cards,  and  then  sent 
“mules”  out  to  make  4,500  ATM  withdrawals 
worldwide.  On  some  days,  it  appears  the  finan¬ 
cial  fraud  trend  shows  no  signs  of  slowing. 

In  this  month’s  feature  story  from  Radcliffe 
(“The  Many  Faces  of  Financial  Fraud,”  Page  26), 
we  learn  that  as  the  number  of  breaches  (in¬ 
cluding  many  at  well-known  institutions)  con¬ 
tinues  to  fill  news  headlines,  victims  on  all  sides 
of  this  crime  are  left  sorting  out  who  assumes 
the  losses.  Does  the  liability  rest  with  the  finan¬ 
cial  institutions  that  were  initially  hacked  and 
whose  data  was  used  to  manipulate  the  with¬ 
drawal  limits  and  load  balances  onto  the  cards? 
Or  with  the  financial  institutions  that  processed 
the  transactions? 

But  the  news  is  not  all  bleak.  In  fact,  as  Rad- 
cliffe's  piece  points  out,  changes  made  since 
the  days  of  the  TJX  breach  are  making  measur¬ 


able  differences,  with  one  source  noting  that 
in  2012,  payments  fraud  was  12  percent  lower 
than  in  2009,  according  to  the  “2013  AFP  Pay¬ 
ments  Fraud  and  Control  Survey”  conducted 
by  JP  Morgan.  So  while  large-scale  breaches 
are  still  frustrating  and  woefully  frequent,  they 
are  being  reduced  by  the  reforms  of  the  past 
six  years. 

Regardless,  while  we’ve  come  a  long  way 
from  the  circumstances  that  led  to  the  TJX 
breach,  these  kinds  of  events  are  still  all  too 
familiar,  and  we  still  have  a  way  to  go  as  an 
industry  to  prevent  financial  fraud  and  credit- 
data  breaches. 

How  do  you  think  we’re  doing  in  security 
when  it  comes  to  protecting  ourselves  from 
financial  fraud?  What  would  you  like  to  see 
changed  today? 

-Joan  Goodchild,  Executive  Editor 
jgoodchild@cxo.com 


CSO  (ISSN  1540-904X)  is  published  monthly  except  for  a  combined  issue  in  July/August  and  December/January  by  CXO  Media  Inc.,  492  Old  Connecticut  Path,  P.O.  Box 
9206.  Framingham.  MA  01701-9208.  Periodical  Postage  Rate  at  Framingham,  MA  01701,  and  at  additional  mailing  offices.  Canadian  Publications  Mail  agreement  number 
1902075.  Canadian  Postmaster:  Please  return  undeliverable  copy  to  P0.  Box  1632,  Windsor,  ON  N9A  7C9.  Copyright  2011  by  CXO  Media  Inc.  All  rights  reserved.  Reproduction 
of  material  appearing  in  CSO  is  forbidden  without  written  permission.  Permission  to  photocopy  for  internal  or  personal  use  or  the  internal  or  personal  use  of  specific 
clients  is  granted  by  CSO  for  users  through  the  Copyright  Clearance  Center,  provided  that  a  fee  of  $3.50  per  copy  of  the  article  is  paid  directly  to  Copyright  Clearance 
Center,  222  Rosewood  Drive.  Danvers.  MA  01970.  www.copyright.com,  Please  specify:  ISSN  1540-904x.  Permission  to  photocopy  does  not  extend  to  contributed  articles— 
followed  by  this  symbol:  j.  Address  inquiries  to  CSO.  P.0.  Box  3482.  Northbrook.  II  60065: 866  354-1125.  CSO  is  free  to  qualified  security  executives.  To  all  others  the 
one-year  basic  rate  is  $70  for  the  United  States  and  Canada.  $95  to  foreign  countries  (payable  in  U.$.  funds  only).  The  single  copy  price  is  $9  to  the  U.S.  and  Canada  and 
$15  International.  Please  allow  four  to  six  weeks  for  new  subscriptions  to  begin.  Change  of  Address:  Go  to  www.omeda.com/custsrv/cso  and  follow  the  online  instructions. 
Postmaster:  Send  change  of  address  to:  CSO.  P.O.  Box  3482,  Northbrook,  1C  60065.  Printed  in  the  USA. 


Executive  Editor 

Joan  Goodchild 
jgoodchild@cxo.  com 
508  988-7994 
Twitter:  @msjoanieg 

Senior  Editor,  Copy  and  Production 

Colleen  Barry 

Art  Director 

Steve  Traynor 

Editorial  Administrator 

Pat  Josefek 

Research  Manager 

Carolyn  Johnson 

Contributors 

Taylor  Armerding,  David  Geer, 
Antone  Gonsalves,  George  V.  Hulme, 
Jeremy  Kirk,  John  P.  Mello  Jr., 
Lauren  Gibbons  Paul,  Bob  Violino 

Editorial/Advertising/ 
Business  Offices 

492  Old  Connecticut  Path, 

P.O.  Box  9208 

Framingham,  MA  01701-9208 
Main  phone  number:  508  872-0080 

Subscriber  Services 

Phone:  866  354-1125 
Fax:  847  564-9453 
cso@omeda.com 

IDG  Enterprise 

An  IDG  Communications  Company 

International  Data  Group 
Chairman  of  the  Board 

Patrick  J.  McGovern 

IDG  Communications,  Inc. 

CEO 

Bob  Carrigan 

Chief  Content  Officer 

John  Gallant 

BPA 

WORLDWIDE" 


2  www.csoonline.com  NOVEMBER  2013 


ADVERTORIAL 


Automated  Malware  Analysis: 
A  Toolbox  Must-Have 


Market 

Pulse 


Malware's  evolution  is  forcing  CSOs  and  their  security 
teams  to  re-evaluate  how  they  address  threats  on  the 
network.  Advanced  persistent  threats  (APTs)  are  getting 
past  traditional  security  controls  like  signature-based 
antivirus  and  intrusion-detection  systems.  While  those 
technologies  still  have  their  place,  organizations  need 
to  supplement  their  threat  detection  toolbox  with  new 
technologies.  Given  their  complexity,  advanced  threats 
must  be  tackled  with  a  variety  of  tools.  However,  an 
automated  analysis  tool  is  crucial.  Only  malware  analysis 
can  provide  information  about  what  exactly  is  happening 
on  the  network. 

According  to  the  CSO  Market  Pulse  report  IT  Security 
Strategy/Plans,  more  than  two-thirds  of  organizations 
use  manual  remediation  processes  to  help  analyze  and 
mitigate  malware  attacks.  But  malware's  dynamic  nature, 
the  volume  of  threats,  and  resource  limitations  render 
manual  analysis  and  mitigation  techniques  ineffective. 
These  organizations  will  always  be  in  reactionary  mode, 
with  attackers  being  a  step  or  two  ahead. 

Fortunately,  security  researchers  are  developing  tools 
that  enable  organizations  to  automate  malware  analysis. 
With  automated  behavior  analysis  tools,  organizations 
can  safely  run  suspicious  files  in  a  protected  "sandbox" 
environment  where  their  behavior  can  be  observed  and 
analyzed.  A  skilled  professional  can  then  take  what  is 
learned  about  the  file's  behavior  and  turn  it  into  action¬ 
able  steps  for  remediating  any  damage  the  file  has 
caused  on  production  networks. 

Today's  automated  malware  analysis  tools  offer  a 
number  of  significant  benefits: 

»  Cost  efficiency — Advanced  malware  analysis  capa¬ 
bilities  are  within  reach  of  most  organizations.  That's 
good,  because  no  organization  is  safe  from  advanced 
threats.  Nearly  70  percent  of  respondents  to  the  CSO 
Market  Pulse  survey  report  their  organizations  are 
vulnerable  to  malware  attacks  in  their  industries.  And 
two-thirds  of  respondents  lack  confidence  that  their 
organizations  have  the  level  of  visibility  necessary  to 
contain  and  proactively  mitigate  malware  attacks. 

»  Better  data  security  confidence— Automated 
malware  analysis  provides  organizations  with  visibility 
into  what's  actually  happening  on  the  network, 
replacing  fear  and  doubt  with  understanding  and  clarity. 

■■ 


/  I  /O  OF  CSO  MARKET 
PULSE  RESPONDENTS  SAY  A 
MORE  PROACTIVE  APPROACH 
TO  MALWARE  DETECTION  IS 
A  BENEFIT  OF  AUTOMATED 
MALWARE  ANALYSIS 


»  Insights  into  the  overall  health  of  a  security 
program — Organizations  can  use  the  information 
derived  from  malware  analysis  to  create  a  threat 
report  that  details  where  data  security  efforts  are 
strong  and  where  they  need  reinforcement. 

»  Proactive  approach  to  malware  detection— 
With  production  threat  modeling,  organizations  can 
test  samples  in  closely  matched  virtual  production 
environments  to  see  what  a  suspicious  file  is  going  to 
do  before  it  sets  out  to  do  it. 

»  A  focus  on  the  most  critical  threats— 

Resource  limitations  make  it  impossible  for  organiza¬ 
tions  to  address  every  potential  threat  on  the  network. 
Automated  malware  analysis  tools  assign  a  risk  score 
to  analyzed  samples,  which  can  be  used  to  prioritize 
remediation  efforts  so  you  can  feel  confident  that  you 
are  assigning  resources  appropriately. 

The  ability  to  analyze  behavior  on  the  network  is  crucial 
in  the  face  of  advanced  threats.  Automated  malware 
analysis  tools  from  Norman  Shark  not  only  help  IT  organi¬ 
zations  more  efficiently  remediate  threats,  but  they  also 
improve  their  overall  risk  posture. 


To  learn  more,  download  this  white  paper 
sponsored  by  Norman  Shark: 

www.csoonline.com/whitepapers/normanshark 


CSO  normans/M/wcr^ 

Custom  Solutions  Group 


Balancing  Risk  and  Reward 

I’m  picking  up  where  I  left  off  last  month  by  examining  how 
effectively  security  is  doing  its  job.  Not  much  has  changed  in  that 
month:  You’re  still  not  doing  security  well. 


But  this  month  I  want  to  dig  into  the  issues 
that  are  raised  by  the  technologies  your  orga¬ 
nizations  are  using,  the  challenges  you  have  in 
sharing  information,  and  how  those  problems 
affect  how  much  you  can  achieve. 

For  years,  we’ve  seen  the  diagrams  used  to 
show  the  adoption  of  new  technologies:  charts 
showing  exponential  growth  as  the  adoption  of 
disruptive  technologies  accelerates  over  time. 
Boy,  those  charts  sure  are  being  proven  accurate 
now.  New  technologies  that  your  organizations 
have  been  adopting  over  the  past  four  years- 
cloud,  consumer  devices,  social  media  and 
so  on-are  full  of  risks  and,  for  the  most  part, 
security  was  not  addressed  before  they  were 
adopted  or  implemented.  Not  a  great  way  to  do 
security,  I  think  we’d  all  agree. 

At  the  same  time,  your  adversaries’  capabili¬ 
ties  have  been  growing  exponentially.  Now  let’s 
put  this  in  perspective:  Have  your  capabilities 
grown  exponentially?  Have  your  budgets  grown 
exponentially?  Has  your  staff  grown  exponen¬ 
tially?  Have  I  made  my  point? 

Let’s  shift  gears  for  a  minute  and  talk  about 
collaboration.  There's  the  whole  public-private 
partnership  collaboration,  but  that’s  not  what 
I’m  talking  about  here.  I’m  talking  about  peer 
collaboration.  One  of  the  best  ways  to  prevent 
security  incidents  is  to  have  an  understanding 
of  what  attacks  look  like  and  what  defenses 
work  against  them.  When  you  get  attacked,  let 
some  of  your  peers  know  about  it  because  they 
may  be  next.  Maybe  next  time  they’ll  give  you  a 
heads-up.  The  industry  has  been  trying  to  cre¬ 
ate  more  formalized  frameworks  for  this  type  of 
collaboration  for  years  through  industry  ISACs 


and  other  forums,  but  most  of  them  have  seen 
only  marginal  success.  Our  most  recent  Global 
State  of  Information  Security  Survey  found  that 
only  one  in  four  of  you  actually  collaborates. 
Why?  You  don’t  want  to  draw  attention  to  your 
weaknesses,  and  you  don’t  trust  your  competi¬ 
tors  not  to  use  it  against  you.  Fair  concerns,  but, 
as  you  do  in  evaluating  the  balance  of  security 
and  business  opportunity,  you  need  to  evaluate 
the  benefits  of  sharing  versus  not  sharing. 

This  industry  has  got  to  get  better  at  han¬ 
dling  the  risks  created  by  new  technologies  and 
working  together  to  solve  shared  challenges. 

If  you  can’t  do  that,  you’re  in  trouble,  as  wave 
after  wave  of  new  technology  and  attacks  will 
run  you  over. 

-Bob  Bragdon,  publisher 
bbragdon@cxo.com 


Advertiser  Index 


ASSA  ABLOY . 19 

Cisco  Systems,  Inc . C2 

Courion  Corp . C4 

CSO . 11, 13, 25,  C3 


4  www.csoonline.com  NOVEMBER  2013 


Norman  Shark . 3 

Security  Smart  Newsletter . 17 

Vormetric,  Inc . 5 


Executive  Committee 
President  &  CEO  Michael  Friedenberg 
Executive  Assistant  to  the 
President  &  CEO  Pamela  Carlson 
SVP  of  Human  Resources 
Patricia  Chisholm 
SVP  of  Events  Ellen  Daly 
SVP  &  Chief  Content 
Officer  John  Gallant 
SVP  of  Digital  Brian  Glynn 
SVP  of  Strategic  Programs  & 
Custom  Solutions  Group  Charles  Lee 
SVP,  Group  Publishers  CMO  BobMelk 
SVP  &General  Manager, 

Online  Operations  Gregg  Pinsky 
SVP  of  DEMO  Neil  Silverman 
SVP  &  COO  Matthew  Smith 
SVP  &  General  Manager, 

CIO  Executive  Council  Pam  Stenson 
SVP  of  Digital,  & 

Publisher  SeanWeglage 

Sales 

Publisher  Bob  Bragdon 
East  Coast  Regional  Director, 
Integrated  Sales  Roz  Burke 
Sales  Director  -  West  Mary  Hazelton 
Sales  Assistant  Kelsey  Scheidemantel 

Integrated  Media  and  Online  Sales 
East  Coast  Online  Regional  Sales 
Manager  Richard  Hartman 
West  Coast  Online  Regional 
Sales  Manager  Erika  Karr 
Central  Online  Regional  Sales 
Manager  Carmen  Facas 
Director  of  Ad  Operations  & 
Project  Management  Bill  Rigby 
Director,  Online  Account 
Services  Danielle  Thorne 

Production 

VP  Production  Services  Chris  Cuoco 
Production  Manager  Heidi  Broadley 

Marketing 

Vice  President,  Marketing  Sue  Yanovitch 
Marketing  &  PR  Manager  Lynn  Hotmlund 

List  Services 

Contact  Steve  Tozeski  of  IDG  List  Services 
at  508  820-8106  or  stozeski@idglist.com 

Reprints  &  Permisions 

For  information  about  reprints  and 
copyright  permissions,  please  contact 
The  YGS  Group.  800-290-5460,  ext.  100, 
cso@theygsgroup.com 


Webb  Chappell 


Securing  Big  Data  is  a  business 


Big  Data  offers  enormous  business  benefits  -  and  an 
attractive  target  to  cyber  criminals.  Protect  What  Matters: 


www.vormetric.com/bigdata92 


In  the  Future,  Malware  Could 
Damage  Bytes,  Bones  and  Brains 

Wearable  devices  open  up  a  whole  new  world  of  risk  for  unwary  users  by  john  p.  mello,  jr. 


WEARABLE  COMPUTERS  AND  AUG- 
mented  reality  could  mean  cyberattacks  will 
bring  harsher  consequences  in  the  near  future, 
according  to  a  recent  report  by  a  pair  of  cy¬ 
bersecurity  organizations.  The  line  between 
digital  and  analog  harm  will  become  fuzzy  in 
2020,  predicted  the  report,  “Scenarios  for  the 
Future  of  Cybercrime,”  prepared  by  the  Inter¬ 
national  Cyber  Security  Protection  Alliance 
(ICSPA)  and  the  European  Cyber  Crime  Centre. 


“Evolved  threats  to  critical  infrastructure 
and  human  implants  will  increasingly  blur 
the  distinction  between  cyber  and  physical 
attack,  resulting  in  offline  destruction  and 
physical  injury,”  the  report  said. 

“Moreover,”  it  continued,  “increasing  in¬ 
corporation  of  augmented  and  virtual  reality 
technologies  into  daily  life  has  the  potential 
to  result  in  cyber  crimes  which  entail  psycho¬ 
logical  harm  to  individuals." 


The  report,  which  includes  a  number  of 
scenarios  describing  what  life  might  be  like  in 
2020,  said  face-to-face  meetings  in  the  fu¬ 
ture  could  be  conducted  by  virtual  executives, 
which  may  give  new  meaning  to  the  phrase 
“empty  suit.” 

“Advances  in  virtual  reality  facilitated  by  3D 
tracking,  cognitive  neuroscience  and  haptic 
interfaces  have  enabled  the  development  of 
technology  that  maps  speech  and  behavior- 


6  www.csoonline.com  NOVEMBER  2013 


Ted  Eytan/Flickr 


isms  onto  virtual  or  robotic  representatives, 
potentially  succeeding  in  remote  business  in¬ 
teractions  where  video  conferencing  and  virtual 
worlds  have  failed,"  the  report  noted. 

Although  that  technology,  after  the  initial 
costs  of  setup,  can  save  businesses  money 
on  plane  tickets  and  hotel  stays,  the  report 
acknowledged  there  may  be  resistance  to  it. 

“[I]t  remains  to  be  seen  whether  corporations 
heavily  reliant  on  trust  and  personal  relation¬ 
ships  will  take  to  it,  and  there  have  already  been 
incidents  of  criminal  interception,  manipulation, 
and  eavesdropping  for  profit,”  it  said. 

Admittedly,  the  remote  presence  and  virtual- 
reality  technologies  identified  in  the  report 
may  just  be  entering  the  mainstream  in  2020 
so  their  potential  for  good-and  bad-won’t  be 
fully  realized  at  that  time.  “It  is  reasonable  to 
speculate,  however,  that  the  level  of  interaction 
of  truly  immersive  technologies  with  human 
cognitive  processes  will  bring  new  harms  (es¬ 
pecially  psychological)  as  well  as  benefits,”  the 
report  said. 

It  also  predicted  a  society  that  in  2020  will 
be  on  the  doorstep  of  the  world  described  in 
William  Gibson's 
prescient  novel 
Neuromancer. 

“While  the  vast 
majority  of  to¬ 
day’s  Internet 
users  would 
baulk  at  the  idea 
of  receiving  a 
brain  or  retina 
implant,  main¬ 
stream  adoption 
of  augmented 
reality,  virtual  re¬ 
ality  and  sensor 
technology  may 
prime  2020's 
younger  generations  for  uptake,  and  desensitize 
them  to  some  of  the  possible  attached  risks," 
the  report  said. 

Not  only  does  the  report  address  how  cyber¬ 
threats  can  be  fought  in  the  future,  but  it  also 
considers  who  will  be  fighting  them,  ICSPA  Chief 
Executive  John  Lyons  explained. 

"To  meet  the  challenges  of  cyber  crime,  we 


need  to  become  more  creative  and  flexible,”  he 
said  in  a  statement.  “We  must  make  sure  law 
enforcement,  criminal  justice,  governments  and 
business  pull  in  the  same  direction,  but  they 
have  to  do  so  without  trampling  on  their  citi¬ 
zens’  expectations  of  privacy  and  anonymity.” 

If  privacy  is  challenging  now,  it  will  be  even 
more  so  in  2020.  “The  future  reality  of  large 
scale  radio  frequency  identification  (RFID) 
deployment,  global  sensor  proliferation,  ag¬ 
gregation  of  data  and  highly  personalized, 
augmented  services  will  require  the  legal  frame¬ 
works  for  privacy  and  security  to  further  adapt,” 
the  report  said. 

The  future  of  privacy  and  security  is  front- 
and-center  in  the  report,  says  Raj  Samani,  VP 
and  CTO  for  McAfee  Europe,  the  Middle  East 
and  Asia.  “It  says  it's  great  that  we’re  moving  to 
these  fantastically  connected  devices,  but  we 
have  to  be  aware  that  the  risks  here  are  going 
to  be  quite  significant,”  he  says.  “That’s  why  we 
have  to  think  about  security  now  when  we’re 
designing  all  these  great  solutions.” 

An  important  part  of  securing  these  devices 
is  identifying  and  protecting  the  seams  in  a 

massively  connected 
society.  “It’s  about 
where  networks 
and  services  and 
applications  touch 
each  other,"  says  Rik 
Ferguson,  global  vice 
president  of  security 
research  at  Trend 
Micro.  “That's  where 
some  of  the  weakest 
points  are.” 

Overall,  the  report 
displays  the  kind  of 
forward  thinking  not 
typically  found  in 
security  circles.  “It’s 
looking  down  the  road  at  an  increasingly  cyber 
future  and  what  that  will  involve  in  terms  of 
abuse  of  technology,”  says  ESET  Security  Evan¬ 
gelist  Stephen  Cobb. 

“All  too  often,"  he  adds,  “we’re  heads  down 
fighting  current  cybercrime  and  not  looking  at 
the  path  down  the  road." 

-John  P.  Metlo,  Jr. 


' '  $  '  '..Tv-  M 

,  '  '  ,  .  f 

Blackhole 
Exploit  Kit 
Creator 
Arrested 

The  head  of  the 
European  Cybercrime 
Center,  Troels  Oerting, 
confirmed  recently 
that  “Paunch,” 
one  of  the  people 
behind  the  creation 
and  maintenance 
of  the  Blackhole 
exploit  kit,  has  been 
arrested  in  Russia. 

“I  know  it  is  true,  we 
got  some  information, 
but  I  cannot  say  any 
more,”  Oerting  told 
TechWeekEurope. 

The  Blackhole 
exploit  kit  is  the  most 
popular  crime  kit  on  the 
Web,  and  is  used  daily 
by  tens  of  thousands 
of  people.  Blackhole 
is  rented  by  criminals, 
and  those  responsible 
for  its  maintenance 
offer  updates  and 
features  on  a  regular 
basis.  The  kit  itself  can 
be  used  for  a  number 
of  types  of  attacks,  as 
it  supports  exploits  for 
Windows,  Adobe  and 
Java,  as  well  as  custom 
scripts  and  attacks. 

It’s  hoped  that  with 
the  arrest  of  Paunch, 
there  will  be  no  one  to 
update  Blackhole  and 
its  attacks  will  go  stale. 


NOVEMBER  2013  www.csoonline.com  7 


^  fingerprints 


www.csoonline.com 


NOVEMBER 


2013 


Tech 

Tony  Bradley,  Bradley  Strategy  Group 
CSOonline's  Salted  Hash  blog  and  newsletter  covers 
the  news  as  it  happens:  blogs.csoonline.com/blog/cso 


APPLE  MADE  A  BIG  DEAL  OUT  OF  ITS 
new  Touch  ID  fingerprint  sensor  in  its  iPhone 
5S  unveiling.  Hackers  with  lots  of  time  on 
their  hands  made  an  even  bigger  deal  out  of 
demonstrating  that  the  fingerprint  authen¬ 
tication  could  be  tricked.  Even  if  it  can  be 
hacked,  though,  the  Touch  ID  fingerprint  au¬ 
thentication  is  still  a  huge  benefit  for  iPhone 
5S  security. 

The  Touch  ID  hack,  which  made  headlines 
shortly  after  the  technology  was  released,  is 
irrelevant  and  silly.  The  hackers  claim  it’s  a 
simple  hack  that  can  be  done  with  common 
household  materials,  but  few-if  any-homes 
I  know  of  are  stocked  with  a  camera  capable 
of  taking  a  2400dpi  photo,  or  a  printer  that 
cranks  out  1200dpi  images  at  a  thick  toner 
setting,  or  happen  to  have  some  spare  latex 
milk  lying  around. 

The  reality  is  that  the  process  requires  a 
clear,  full  print  to  work  with  in  the  first  place, 


and  the  process  of  creating  the  mold  is  some¬ 
what  convoluted.  By  the  time  an  attacker 
could  successfully  create  a  mold  of  your  fin¬ 
gerprint,  you  should  have  realized  your  iPhone 
is  missing  and  just  erased  it  remotely.  The 
bottom  line  is  that  this  hack  is  not  of  any  con¬ 
cern  to  normal  people  in  the  real  world. 

Why,  then,  is  a  hackable  biometric  authen¬ 
tication  method  a  huge  benefit  for  iPhone  5S 
security?  Simple:  It’s  better  than  nothing. 

The  strengths  and  weaknesses  of  Touch 
ID  itself  aside,  the  tool  mainly  serves  to  aug¬ 
ment  the  passcode  and  simplify  authenti¬ 
cation.  The  primary  value  of  Touch  ID  lies  in 
the  fact  that  many  consumers  are  too  lazy  or 
apathetic  to  enter  a  passcode,  but  enabling 
Touch  ID  requires  also  setting  up  a  passcode. 
Some  security  is  better  than  no  security  at 
all,  and  Touch  ID  gives  people  incentive  to  use 
some  security. 

Many  of  the  comments  I’ve  gotten  in  re¬ 


sponse  to  this  opinion  have 
missed  the  point  that  we’re 
not  comparing  fingerprint  au¬ 
thentication  to  passcode  au¬ 
thentication,  we're  comparing 
some  authentication  to  no 
authentication  at  all.  Some 
of  the  responses  were  just 
tinfoil-hat  conspiracy  theories 
about  jealous  girlfriends  sur¬ 
reptitiously  logging  in  to  your 
iPhone  using  your  finger  while 
you’re  sleeping,  or  concerns 
that  Apple  is  collecting  and 
maintaining  a  massive  data¬ 
base  of  complete  fingerprint 
images. 

I  don’t  know  about  scary 
girlfriends.  If  that’s  a  concern, 

I  think  you  need  to  examine 
your  relationship,  not  your 
smartphone  authentication,  i  can  say  with 
relative  confidence  that  Apple  isn’t  cataloging 
identities  and  capturing  fingerprints,  so  you 
can  take  off  the  tinfoil  hat. 

In  all  fairness,  though,  enabling  Touch  ID 
may  not  make  sense  from  a  business  perspec¬ 
tive.  The  fact  is  that  company  policy  should 
already  mandate  the  use  of  a  passcode,  and 
smart  companies  will  enforce  the  use  of  more 
complex  passcodes  rather  than  relying  on  a 
4-digit  numeric  PIN. 

Now,  if  Apple  starts  letting  Touch  ID  be 
used  as  a  second  method  of  authentication 
in  addition  to  the  passcode,  then  it  becomes 
valuable  from  a  business  security  perspec¬ 
tive  as  well.  A  passcode  may  be  guessed 
or  cracked.  A  fingerprint  can  be  faked  with 
enough  effort.  But  if  accessing  crucial  data 
required  both,  it  would  make  it  very,  very  dif¬ 
ficult  for  any  attacker  to  access  it. 

-Tony  Bradley 


Si®«8 


mmMm. 


ill ^ 


m 


SALTED  HASH 


Apple’s  Fingerprint  Authentication  May  be 
Imperfect,  But  It’s  Better  Than  Nothing 


Edgar  Su/Reuters 


Proposal  to  Lock  Down  Whois  System  Causes  Uproar 


A  WORKING  GROUP  FOR  INTERNET  REGULATORS  IS 
under  severe  criticism  for  a  proposal  that  would  put  an  end  to  the 
openness  of  the  current  Whois  system  for  domain  name  registra¬ 
tion  records. 

The  expert  working  group  of  the  Internet  Corporation  for  As¬ 
signed  Names  and  Numbers  (ICANN)  has  proposed  establishing  an 
aggregated  registration  data  service  (ARDS)  for  storing  all  records. 
The  system  would  be  closed  by  default,  and  people  or  organiza¬ 
tions  would  have  to  convince  the  controlling  body  that  they  had  a 
legitimate  need  for  the  data  before  they  could  see  it. 

Currently,  registrants  store  registration  records,  and  anyone  can 
go  to  a  number  of  sites  that  use  the  Whois  query-and-response 
protocol  to  retrieve  all  the  public  information.  The  working  group 
agrees  with  critics  that  the  system  in  use  today  provides  too  much 
inaccurate  information  and  fails  to  protect  the  privacy  of  individu¬ 
als  and  entities  with  a  legitimate  right  to  keep  the  information  out 
of  the  public  domain. 

Critics  of  the  working  group’s  proposal  agree  that  the  system  is 
broken,  but  disagree  with  the  recommendation  that  today’s  open¬ 
ness  should  be  replaced  with  a  system  that  is  closed  by  default. 
Under  the  proposed  system,  individuals  or  entities  that  want  reg¬ 
istration  would  have  to  apply  to  a  central  authority  for  “access  cre¬ 
dentials  to  the  ARDS.” 

“What  the  ARDS  proponents  fail  to  realize  is  that  Whois  data 
isn’t  separate  from  the  Internet— it’s  part  of  the  Internet  itself,  and 
they  are  trying  to  centralize  global  control  over  who 
gets  to  access  that  key  Internet  information,  what 
can  be  done  with  it  and  why,”  says  John  Horton, 
president  of  LegitScript.  “It’s  extremely  disquieting 
for  one  organization  to  be  given  that  much  power.” 

LegitScript  joined  DomainTools,  G2  Web  Services 
and  OpSec  Security  in  sending  a  letter  to  ICANN, 
listing  their  objections  to  the  proposed  changes. 

The  group  fears  that  the  closed  registry  could 
hamper  future  innovative  uses  of  the  Whois  data, 
among  other  potential  problems. 

“Since  its  inception,  the  Internet  has  been  a  pow¬ 
erful  force  of  innovation  and  creativity  primarily  for 
the  reason  that  there  are  relatively  few  barriers  to 
entry,”  the  letter  says. 

Not  everyone  disagreed  with  the  working  group. 

The  Center  for  Democracy  and  Technology  (CDT) 
says  the  group  did  a  “good  job”  in  recommending 
access  restrictions  on  currently  available  data.  Nev¬ 
ertheless,  the  CDT  felt  ICANN  did  not  go  far  enough 
in  determining  exactly  what  types  of  data  should 


actually  be  handed  over  to  the  proposed  registries. 

“We  question  whether  registering  a  domain  should  automati¬ 
cally  publish  that  registrant’s  personal  data  in  the  equivalent  of  an 
‘Internet  phone  book,”’  the  center  said  in  a  statment. 

While  commercial  organizations  would  have  to  provide  Whois 
data,  the  CDT  favored  allowing  individuals  to  opt  out  entirely.  The 
reasoning  would  be  to  protect  political  dissidents  from  government 
surveillance. 

To  prevent  spammers  from  gaming  the  system,  the  CDT  sug¬ 
gested  using  anti-abuse  teams  to  report  suspicious  domains  to  reg¬ 
istries,  which  could  decide  whether  to  take  legal  or  administrative 
action  against  the  sites. 

The  working  group  also  proposed  giving  law  enforcement  access 
to  more  registrant  data  than  would  be  made  available  to  other  re¬ 
questors.  That  suggestion  was  called  a  red  herring  by  Garth  Bruen, 
principal  investigator  at  Internet  security  research  company  Knu- 
jon,  which  is  “no  junk”  spelled  backwards. 

“Law  enforcement  already  has  superior  access  to  registrant  data, 
they  always  did,”  Bruen  told  the  KrebsOnSecurity  blog.  “Whois  is 
about  ordinary  Internet  users  being  able  to  find  out  who  owns  a  do¬ 
main  name.  The  consumer  is  ultimately  being  frozen  out.” 

The  expert  working  group  is  currently  accepting  comments  on  its 
proposal.  The  group  will  eventually  hand  a  final  recommendation 
to  the  ICANN,  but  a  timetable  was  not  announced. 

-Antone  Gonsalves 


NOVEMBER  2013  www.csoonline.com  9 


IT  Blocks  Apps  Based  on  Popularity,  Not  Risk 


A  STUDY  FROM  SKYHIGH  NETWORKS, 
a  firm  that  focuses  on  cloud  access  security, 
shows  that  most  of  the  time  when  IT  blocks 
access  to  certain  cloud-based  apps,  it  focuses 
on  popular  well-known  programs,  and  not 
necessarily  high-risk  ones.  The  problem  with 
this  method  of  security  is  that  it  often  leads 
to  cloud-based  apps  that  pose  little  to  no  risk 
being  prohibited  on  the  network,  while  those 
that  actually  do  pose  a  serious  risk  are  left 
alone,  freely  available  to  anyone  who  knows 
about  them. 

Moreover,  the  data  collected  from  some  3 
million  users  across  100  organizations  shows 
that  IT  seriously  underestimates  the  number 
of  cloud-based  apps  and  services  running  on 
its  networks.  For  example,  on  average  there 
are  about  545  cloud  services  in  use  by  a  given 
organization,  yet  if  asked  to  estimate  how 
many  such  services  its  company  uses,  IT  will 
usually  give  a  number  that’s  only  a  fraction  of 
the  true  amount. 

When  it  comes  to  the  type  of  cloud-based 
apps  and  services  blocked  by  IT,  the  primary 
focus  seems  to  be  on  preventing  productivity 
loss  rather  than  mitigating  risk,  so  the  list  of 
blocked  apps  frequently  centers  on  name  rec¬ 


ognition.  For  example,  Netflix  is  the  number 
one  blocked  app  overall,  and  services  such  as 
iCloud,  Google  Drive,  Dropbox,  SourceForge, 
WebEx,  Bitty,  StumbleUpon  and  Skype,  are 
commonly  flagged  too. 

Flowever,  while  those  services  do  have 
some  risk  associated  with  them,  they  are  also 
top  brands  that  depend  on  having  a  reputa¬ 
tion  as  being  reliable.  Yet  users  are  often 
given  unrestricted  access  to  services  such  as 
SendSpace,  Codehaus,  FileFactory,  author- 
STREAM,  MovShare  and  WeTransfer,  which 
actually  pose  more  risk  than  the  other,  more 
commonly  blocked  apps. 

Digging  deeper,  the  study  shows  that  in  the 
financial  services  sector,  iCloud  and  Google 
Drive  are  commonly  blocked,  yet  SendSpace 
and  CloudApp,  which  are  direct  alternatives, 
are  rarely,  if  ever,  filtered.  In  healthcare,  Drop- 
box  and  Memeo  (an  up-and-coming  file-shar¬ 
ing  service)  are  blocked,  which  is  expected. 
Yet,  once  again,  healthcare  IT  allows  services 
such  as  WeTransfer,  4shared  and  Hostingbulk 
on  the  network. 

In  the  high-tech  sector,  Skype,  Google  Drive 
and  Dropbox  are  commonly  expunged  from 
network  traffic,  yet  RapidGator,  ZippyShare 


and  SkyPath  are  fully  available.  In  manufac¬ 
turing,  where  WatchDox,  Force.com  and  Box 
are  regularly  blocked,  CloudApp,  SockShare 
and  RapidGator  are  fully  used  by  employees 
seeking  alternatives. 

In  a  statement,  Rajiv  Gupta,  founder  and 
CEO  at  Skyhigh  Networks,  said  that  the  report 
shows  that  “there  are  no  consistent  policies 
in  place  to  manage  the  security,  compliance, 
governance,  and  legal  risks  of  cloud  services." 

Separately,  in  comments  to  CSO,  Gupta 
agreed  that  one  of  the  main  causes  for  this 
large  disconnect  in  content  filtering  is  a  lack 
of  understanding  when  it  comes  to  the  risks 
behind  most  cloud-based  apps  and  services 
(outside  of  the  top  brands),  and  the  fact  that 
many  commercial  content-filtering  solutions 
simply  do  not  cover  the  alternatives  online,  or 
as  he  put  it,  “They’re  not  cloud-aware." 

This  proves  that  risk  management  can't  be 
confined  to  a  checklist  and  a  bland  category 
within  a  firewall's  content-filtering  rules. 

“Cloud  is  very  much  the  Wild,  Wild  West. 
Taming  the  cloud  today  is  largely  a  whack-a- 
mole  exercise...with  your  bare  hands,"  Gupta 
said. 

-Steve  Ragan 


lO  www.csoonline.com  NOVEMBER  2013 


Shutterstock 


CSO  Forum  on  Linked  03 


Share  best  practices  and  insight 
and  discuss  your  challenges  with 
your  security  executive  peers. 


The  CSO  Forum  is  where  members  of  the  security 
community  can  connect  and  collaborate  to  move  their 
security  and  technology  initiatives  and  careers  forward. 
If  you  are  a  senior  security  or  IT  professional,  we’d  love 
to  have  you  join— apply  for  membership  today. 


Visit  linkedin.com  click  Groups  and  search  for  “CSO  Forum" 

Facilitated  by  CSOOnline.com  and  CSO  Magazine 


CSO 


BUSINESS  RISK  LEADERSHIP 


CSO  Forum 


'C 


ss 


- 


Tech 


Facebook’s  Graph  Search  Is 

FACEBOOK  HAS  ANNOUNCED  NEW  CHANGES  TO  THE  WAY 
Graph  Search  discovers  information,  including  the  fact  that  status 
updates,  photos,  check-ins  and  comments  are  now  included  in  search 
results.  This  new  stream  of  information  offers  criminals  developing 
phishing  campaigns  a  number  of  new  attack  surfaces  to  exploit. 

At  the  end  of  September,  Facebook  revealed  the  latest  changes  to 
its  Graph  Search  function,  a  tool  that  allows  people  to  search  for  spe¬ 
cific  content  on  the  social  network.  Previously,  Graph  Search  was  lim¬ 
ited  to  information  on  a  person’s  profile  or  pages  on  the  site,  but  now 
additional  information, 
such  as  status  updates, 
photos,  check-ins,  and 
comments,  will  become 
discoverable  as  well. 

While  these  features  are 
being  touted  by  the  social 
giant  as  a  good  thing,  the 
risk  they  create  is  any¬ 
thing  but. 

This  new  stream  of 
data  offers  a  potential 
gold  mine  for  criminals 
developing  phishing  cam- 
paigns-as  well  as  for 
more  experienced  attack- 
ers-because  searches 
can  now  focus  on  certain 
groups  of  people,  from 

a  given  area,  who  are  interested  in  or  have  a  relationship  to  a  specific 
business,  organization,  topic  or  hobby.  It’s  even  possible  to  filter  results 
by  time,  causing  details  from  long-forgotten  comments  or  posts  to  see 
the  light  of  day  once  again. 

The  data  returned  for  a  given  search  is  limited  only  by  the  privacy 
settings  on  the  post  itself,  or  the  overall  settings  by  the  user  or  their 
friends.  Unfortunately,  many  people  are  still  on  default  settings.  As 
such,  their  profiles,  including  posts,  are  set  to  be  shared  to  a  much 
wider  audience  than  they  may  intend. 

"Facebook  has  a  long-standing  tradition  of  dragging  users  to  share 
more  information-even  if  they  don’t  ask,”  says  Trevor  Hawthorn,  CTO 
of  ThreatSim. 

ThreatSim  focuses  on  spear  phishing  and  awareness  training,  and 
the  company’s  data-included  in  the  “Verizon  Business  Data  Breach 
Investigations  Report”-showed  it  was  possible  to  track  the  success  of 
a  given  phishing  campaign.  ThreatSim  found  that  it  usually  takes  three 
emails  before  a  target  will  click  on  a  link  or  an  attachment. 

“Running  a  campaign  with  just  three  emails  gives  the  attacker  a 


a  Gold  Mine  for  Phishers 

better  than  50  percent  chance  of  getting  at  least  one  click.  Run  that 
campaign  twice,  and  that  probability  goes  up  to  80  percent,  and 
sending  10  emails  approaches  the  point  where  most  attackers  would 
be  able  to  slap  a  ‘guaranteed’  sticker  on  getting  a  click,”  the  Verizon 
report  explains. 

Half  of  the  clicks  within  a  given  phishing  campaign  will  happen 
within  12  hours  of  sending  the  first  email,  but  clicks  alone  do  not  mean 
a  successful  compromise.  However,  the  more  focused  the  campaign, 
the  more  likely  it  is  to  successfully  compromise  its  targets.  That’s  why 

the  enhanced  search 
tool  on  Facebook  could 
spell  trouble,  and  why 
organizations  and  the 
people  in  them  need  to 
be  mindful  of  protecting 
what  they  post. 

“Facebook  has  always 
been  useful  for  attack¬ 
ers  to  gather  information 
about  a  specific  target. 
Facebook  Graph  turns 
this  on  its  head  and  al¬ 
lows  an  attacker  that 
doesn’t  have  a  specific 
person  in  mind  to  browse 
and  select  several  targets 
based  on  search  criteria,” 
Hawthorn  says. 

The  changes  to  Graph  Search  will  now  allow  for  the  construction  of 
high-quality  phishing  messages,  using  specific  search  criteria  that  the 
target  may  not  realize  is  available. 

“For  example,  I  can  now  search  for  Asian  restaurants  visited  by 
people  who  work  for  the  U.S.  Department  of  State.  That  produces 
highly  specific  results  that  allows  me  to  choose  from  a  list  of  targets,” 
Hawthorn  says. 

The  data  revealed  in  Graph  Search  is  only  as  private  as  you-and 
your  friends— set  it  to  be,  Hawthorn  adds.  Even  if  your  details  are 
locked  down,  check-ins  and  image  tags  or  post  tags  still  offer  more 
insight  than  was  previously  available.  When  compared  with  the  data 
available  from  other  social  services  such  as  Linkedln,  Graph  Search 
gives  an  attacker  better  odds  when  targeting  a  person  or  organization. 

“Before  Facebook  Graph,  the  attacker  would  have  to  dig  deeper  and 
infer  a  lot  about  a  target’s  interests,  likes  and  employer.  With  Facebook 
Graph  it’s  easier  to  search  for  and  find  the  answers  to  those  questions 
from  the  target  himself,”  Hawthorn  says. 

-Steve  Ragan 


Introducing  Graph  Search 


Explore  your  world  through  photos 


Now  you  can  use  simple,  specific  phrases  like  “Photos  my 
friends  took  In  New  York  City”  to  find  anything  you  want. 

®  •  * 


12  www.csoonline.com  NOVEMBER  2013 


CSO’s  e-Mail  Newsletters 


Keep  Up  To  Speed 

On  the  Security  Issues  Important  to  You 
Delivered  right  to  your  desktop 


|7|  CSO  Update 

A  look  at  the  latest  security  news  and  analysis  on 
CSOonline.com,  delivered  three  times  a  week. 

CSO  Salted  Hash 

IT  security  news  and  analysis,  over  easy,  delivered  daily. 

CSO  News  Watch 

A  recap  of  the  week’s  top  news  stories. 

CSO  Career 

A  twice-monthly  newsletter  of  career  and  leadership- 
oriented  news,  articles  and  events  plus  job  postings. 

CSO  Tech  Watch 

Twice-monthly  update  on  technologies  for  protecting  networks,  facilities, 
employees,  intellectual  property  and  more. 

CSO  Security  Leader 

Biweekly  leadership-related  articles  and  reports  from  CSO,  as  well  as  tips 
for  educating  employees  and  corporate  leadership. 

CSO  Continuity  &  Recovery 

A  twice-monthly  review  of  published  material  concerning 
business  continuity  and  disaster  recovery. 

|~7j  Security  Research  &  Metrics 

-  A  monthly  roundup  of  useful  security  research,  benchmarks  and  statistics. 

[~7]  CSO  Risk  Management 

-  A  monthly  roundup  of  strategies  and  tools  for  accurate  measurement  and 

prioritization  of  risks. 

Sign  up  now  for  CSO’s 
complimentary  e-mail  newsletters 
www.CSOonline.com/newsletters 


BUSINESS  RISK  LEADERSHIP 


METRICS  GOVERNANCE 


COMPLIANCE 


ALL-HAZARDS 


Managing  Millennial?  Better 
Rethink  That  Social  Media  Policy 

A  lot  is  at  risk  when  employees  use  social  media,  so  you  have  to  lay  down  the  law  before  trouble  starts 

BY  CAROLYN  APRIL 


AS  BABY  BOOMERS  RETIRE,  GENERA- 
tion  Y  is  set  to  become  the  dominant  seg¬ 
ment  of  the  workforce,  significantly  shifting 
the  age  of  the  average  employee.  As  the 
workforce  composition  changes  and  workers 
increasingly  rely  on  technology  for  work,  em¬ 
ployers  might  be  forced  to  alter  their  attitudes 
toward  tech  use  on  the  job. 

Today,  social  media,  whether  used  for  per¬ 
sonal  and  professional  reasons,  has  become 
synonymous  with  Generation  Y,  or  “millenni- 
als."  According  to  a  new  study  by  CompTIA,  41 
percent  of  twentysomething  employees  are 
skirting  their  companies’  social  media  policies, 
which  can  have  consequences  that  ripple  out 
to  the  whole  organization. 

While  most  companies  assume  that  social 
media  is  simply  a  roadblock  to  productivity,  it 
is  the  risk  to  corporate  data  that  should  really 
have  IT  policymakers  thinking  twice.  With  the 
likelihood  of  malware  infestation,  phish¬ 
ing  scams  and  data  sharing,  accessing  social 
media  on  corporate  servers  opens  organiza¬ 
tions  up  to  a  host  of  security  issues. 

Still,  many  companies’  business  models  are 
shifting  to  include  online  and  social  compo¬ 
nents,  leaving  executives  and  IT  to  loosen  the 
reins  somewhat  on  employees’  social  media 
use.  In  the  absence  of  a  strong  social  media 
policy,  however,  workers  will  fail  to  distinguish 
between  acceptable  and  improper  use,  leav¬ 
ing  IT  departments  to  clean  up  the  mess. 

The  following  is  a  list  of  some  of  the  great- 


'i: 


14  www.csoonline.com  November  2013 


Thinkstock 


BY  THE  NUMBERS 


est  social  media  policy  mistakes  that 
companies  make,  accompanied  by  tips 
to  help  promote  better  social  media  be¬ 
havior,  especially  as  younger,  “digital-first" 
employees  join  the  workforce. 

Mistake:  Ignoring 
benefits  and  focusing 
on  time  lost. 

Many  firms  limit  their  employees’  access 
to  social  media  for  fear  of  productivity 
issues,  which,  according  to  CompTIA’s 
research,  is  a  common  concern.  In  fact, 

64  percent  of  employees  across  all  age 
groups  believe  that  using  social  media  at 
work  for  personal  reasons  poses  a  threat 
to  productivity.  Yet  almost  half  of  respon¬ 
dents  between  the  ages  of  20  and  40  use 
Facebook  for  work  purposes-a  discon¬ 
nect  that  deserves  attention. 

The  solution:  Establish  a  social 
media  training  program.  Show  employees 
how  to  use  social  media  in  accordance 
with  your  policy  to  increase  productivity, 
performance  and  contentment-espe- 
cially  if  they  use  social  platforms  to  do 
their  jobs.  By  allowing  employees  to  take 
advantage  of  social  media’s  benefits, 
your  company  can  harness  the  power  of  a 
valuable  business  tool. 

Mistake:  Create  a  one- 
size-f  its-all  policy. 

Because  social  media  is  still  a  new  phe¬ 
nomenon,  most  companies  only  have 
one  blanket  policy  that  applies  to  all  em¬ 
ployees  on  the  payroll,  regardless  of  their 
responsibilities.  This  could  be  a  mistake. 
According  to  CompTIA,  senior  staffers 
(who  are  often  closest  to  important  busi¬ 
ness  information)  were  more  likely  than 
mid-  and  entry-level  employees  to  access 
Facebook  for  work  and  personal  purposes 
(53  percent  as  opposed  to  21  percent). 
While  crafting  a  social  media  policy  takes 
time  and  effort,  ignoring  differences  in 
the  way  people’s  jobs  require  them  to 
use  social  media  only  makes  the  policy 
ineffective.  Employees  of  varying  levels 
and  functions  within  organizations  have 


different  duties  and  variable  access  to 
different  types  of  data.  Social  media  poli¬ 
cies  should  correspond  similarly. 

Solution:  The  goal  should  be  to  pre¬ 
vent  unwarranted  knowledge-sharing. 
Categorize  employees  depending  on  job 
responsibilities  and  access  to  sensitive 
data.  Write  the  policy  on  a  per-case  (or 
per-group)  basis,  and  tailor  your  internal 
social  media  training  sessions  accordingly. 

Mistake:  Don’t 
bother  establishing 
a  policy  until  it 
becomes  an  issue. 

Remember:  a  business  social  media 
policy  (as  a  narrow  slice  of  your  overall  IT 
policy)  must  protect  corporate  data.  Con¬ 
sidering  the  way  social  media  facilitates 
threats  such  as  malware,  phishing  scams 
and  even  innocent  file  sharing,  its  use  in 
the  workplace  can  be  much  more  than  a 
productivity  problem. 

Solution:  The  best  thing  you  can  do 
for  your  social  media  policy  is  to  make 
sure  that  your  employees  know  it  back- 
to-front.  Establish  training  days  or  online 
modules  that  will  educate  employees 
about  best  practices  for  safe  social  use. 
The  more  you  communicate  your  policies 
and  why  they’re  necessary,  the  easier 
they  will  be  to  enforce. 

A  successful  social  media  policy  is  a 
balanced  one,  one  that  gives  employees 
the  resources  and  options  they  need  to 
do  their  jobs  well  while  ensuring  that  IT 
departments  don’t  live  in  fear  of  lurking 
security  issues.  Organizations  should  take 
the  time  to  reassess  their  internal  social 
media  strategy  and  determine  what  can 
be  tweaked  to  more  realistically  match 
your  business’s  operations.  Social  media, 
like  millennial,  is  unavoidably  becoming  a 
fixture  in  the  workplace.  Now  is  the  time  to 
figure  out  how  to  integrate  it  in  a  way  that 
protects  your  sensitive  information  and 
grows  your  business  at  the  same  time. 

-Carolyn  April  is  the  director  of  industry 
analysis  for  CompTIA,  the  nonprofit 
association  for  the  IT  industry. 


A  survey  by  elQNetworks 
asked  212  T  decision¬ 
makers  what  keeps 
them  up  at  night. 

Among  the  results: 

34% 

of  respondents  said  their 
greatest  information  security 
nightmare  would  be  an  external 
data  breach  for  financial  gain. 


31% 

said  measuring  and  reporting 
on  compliance  was  their  biggest 
challenge  to  compliance. 


24% 

said  automating  IT 
controls  was  their  biggest 
challenge  to  compliance. 


25% 

of  respondents  said  they  didn’t 
know  how  long  it  would  take  to 
find  the  root  cause  of  a  breach. 


November  2013  www.csoonline.com  15 


Risk 


Why  Settling  for  Compliance  Increases  Risk 


THE  DEPARTMENT  OF 
Health  and  Human  Services 
recently  confirmed  that  a  lack 
of  training  is  a  common  cause 
of  HIPAA  compliance  problems. 
But  is  that  really  such  a  surprise? 
Given  the  poor  state  of  aware¬ 
ness  training  in  many  organiza¬ 
tions,  it’s  no  wonder  that  HIPAA 
violations  are  on  the  rise.  The  fact 
is,  to  achieve  letter-of-the-law 
compliance,  just  about  any  form 
of  training  is  enough  to  check 
the  box.  But  as  we  continue  to 
see,  bad  training  is  practically 
equivalent  to-or  worse  than-no 
training  at  all. 

It  should  be  obvious  that  there 
is  more  to  this  compliance  thing 
than  simply  doing  the  least  one 
can  do.  For  starters,  ask  yourself, 
in  addition  to  being  compliant,  is 
your  organization  also  competent 
to  see  that  the  spirit  of  the  law  is 
fulfilled?  Does  your  organization, 
in  the  true  spirit  of  compliance, 
promote  a  culture  that  respects 
the  interests  of  customers,  pa¬ 
tients,  shareholders  and  other 
constituents?  Does  everyone  in 
the  organization  see  themselves 
as  responsible  for  the  security  of 
protected  information,  whether  it 
is  health  information,  credit  card 
data,  or  the  many  other  forms  of 


personal  information  collected 
today?  Do  your  executives  active¬ 
ly  model  the  importance  of  priva¬ 
cy  and  security?  Do  they  seek  out 
and  identify  potential  gaps? 

If  the  answer  to  any  of  these 
questions  is  “no,”  then  not  only 
does  your  organization  lack  the 
requisite  privacy  competence,  but 
it  may  not  even  be  in  compliance. 

Here  are  four  myths  that 
can  lead  you  to  believe  you’re 
protected,  when  in  fact  your 
compliance  status  is  putting  your 
organization  and  customers  in 
serious  jeopardy: 

Myth  1: 

The  minimum 
mandatory  training 
shields  you  from 
liability. 

Just  ask  any  number  of  HIPAA- 
compliant  organizations 
who  found  out  the  hard  way: 
Organizations  can  be  found  to 
be  legally  negligent  even  if  they 
have  all  their  HIPAA  papers 
in  order  and  provided  a  level 
of  training  that  satisfied  the 
minimum  regulatory  requirement. 
Why?  Because  the  behavior 
HIPAA  seeks  to  regulate  did  not 
change  as  a  result  of  the  training. 
Consequently,  organizations  have 
been  found  liable  for 
breaching  a  standard 
of  care  that  in  turn 
resulted  in  the  inap¬ 
propriate  disclosure  of 
health  information.  In 
other  words,  because 
the  spirit  of  the  law 
was  ignored,  the  train¬ 
ing  was  ineffective, 
and  a  liability  resulted. 


A  growing  body  of  case  law  clear¬ 
ly  demonstrates  that  satisfying 
the  letter  of  the  law  alone  just 
won’t  cut  it. 

Myth  2: 

The  goal  is  regulatory 
compliance. 

Simply  being  compliant  does  not 
translate  to  a  safe  and  secure 
organization.  Not  by  a  long  shot. 
And  if  your  only  motivation  is  to 
avoid  the  penalties  for  compli¬ 
ance  violations,  you’ve  really 
missed  the  point.  Regulatory  fines 
are  actually  a  drop  in  the  bucket 
compared  with  the  true  costs  of 
a  breach,  which  also  include  loss 
of  trust,  customers  and  oppor¬ 
tunity.  The  cost  in  lost  business 
and  any  potential  lawsuits  can 
be  staggering.  Besides,  achieving 
compliance  is  only  the  first  step 
in  safeguarding  your  organization 
and  your  customers.  What  the 
law  is  ultimately  seeking  is  a  cul¬ 
ture  of  security-aware  behavior. 

Myth  3: 

Checking  the  box 
will  improve  your 
overall  risk  profile. 

The  truth  is  that  a  check-the-box 
approach  to  compliance  actually 
leaves  your  organization  with  a 
very  poor  risk  profile.  Because  it 
breeds  a  false  sense  of  security, 
it  also  courts  disaster.  More 
important,  the  increased  risk  that 
inevitably  follows  compliance 
complacency  endangers  not  only 
the  security  of  your  information 
and  the  privacy  of  your  customers, 
but  also  your  brand’s  great¬ 
est  asset-your  hard-earned 
reputation  as  being  trustworthy. 


Myth  4: 

Training  above  the 
minimum  standard 
won’t  make  any 
difference. 

Take  two  organizations:  one  that 
gives  awareness  training  the  short 
shrift  and  another  that  takes, 
it  seriously.  Which  would  you 
consider  more  trustworthy:  the 
company  that  gave  its  people  an 
annual  30-minute  PowerPoint 
presentation  or  the  one  that  tied 
the  training  to  the  culture  and 
corporate  values  of  the  organiza¬ 
tion  and  reinforced  it  through¬ 
out  the  year  with  habit-forming 
reminders?  As  a  CEO,  would  you 
deliberately  and  consciously  set 
out  to  test  the  theory  that  there's 
no  difference  between  the  two 
positions?  Yet  chances  are,  unless 
you’ve  instituted  formal  aware¬ 
ness  training  in  your  organization, 
that’s  exactly  what  you  are  doing. 

In  the  end,  complying  with  the 
letter  of  the  law  while  neglect¬ 
ing  its  spirit-and  the  strategic 
benefits  that  spirit  provides-can 
leave  your  organization  exposed, 
destroy  customer  trust,  consume 
precious  capital  and  tarnish  your 
brand.  Conversely,  just  a  small 
investment  in  true  behavior¬ 
changing  training  and  reinforce¬ 
ment  will  pay  huge  dividends 
in  fortifying  the  security  of  your 
organization  and  protecting  your 
customers  in  the  ways  the  laws 
require. 

-John  Schroeteris  director  of 
marketing  at  MediaPro,  a  provider 
of  security  awareness  training  so¬ 
lutions.  Tom  Pendergast  is  director 
of  product  stra  tegy  and  instruc¬ 
tional  design  at  MediaPro. 


16  www.csoonline.com  NOVEMBER  2013 


Shutterstock 


THE  EMPLOYEE  SECURITY  AWARENESS  NEWSLETTER  FROM  THE  EDITORS  AT  CSO 


Security  Smart  is  a  quarterly  security  awareness  newsletter  ready 
for  distribution  to  your  employees — saving  you  precious  time  on 
employee  education!  The  compelling  content  combines  personal 
and  organization  safety  tips  so  is  applicable  to  many  facets 
of  employees'  lives.  And  the  easy  to  read  design  has  multiple 
entry  points  so  you  are  assured  that  your  intended  audience  of 
employees — your  organization's  most  valuable  assets — will  read 
and  retain  the  information. 


*lTy 


f0W/G 


y°Uf) 


'SeCU«*Y** 


hele~you,lnY°u 


^IV, 


'Acy 


n.tair.  ***&'%..'?** 


Subscribe  today! 


[■0 


'at 


To  view  a  sample  issue  of  the  newsletter,  learn  about  the 
delivery  options  and  to  subscribe  visit: 

www.SecuritySmartNewsletter.com 


^  -‘-Si** 

s=t~ 

# 

ea„. .  *  *ftfc  A,_  ils"or  n,° n'*llo  m 


f,, 


iKAlyD 


ATH0i 


did 


v°o* 


I  H/c 


Th  U*N°»> 
?.*nJ°£ost 

Qti^fnZ 


D.S. 


•^SS 


For  more  information  please  visit 

www.SecuritySmart.com 


Security  Smart  is  published  by  CSO,  a  business  unit  of  CX0  Media.  ©  2012  CX0  Media  Inc. 


CSO 


BUSINESS  RISK  LEADERSHIP 


1“ 


■  Risk 


Spear  Phishing 
Poses  Threat 
to  Industrial 
Control 
Systems 

WHILE  THE  ENERGY  INDUSTRY  MAY 
fear  the  appearance  of  another  Stuxnet  on 
the  systems  they  use  to  keep  oil  and  gas  flow¬ 
ing  and  the  electric  grid  powered,  an  equally 
devastating  attack  could  come  from  a  much 
more  mundane  source:  phishing. 

Rather  than  worry  about  exotic  cyber¬ 
weapons  like  Stuxnet  and  its  big  brother, 
Flame,  companies  that  use  supervisory  con¬ 
trol  and  data  acquisition  (SCADA)  systems- 
computer  systems  that  monitor  and  control 
industrial  processes— should  make  sure  their 
anti-phishing  programs  are  in  order,  say  secu¬ 
rity  experts. 

“The  way  malware  is  getting  into  these 
internal  networks  is  by  social  engineering 
people  via  email,"  says  Rohyt  Belani,  CEO  and 
co-founder  of  the  anti-phishing  training  firm 
PhishMe. 

“You  send  them  something  that’s  targeted, 
that  contains  a  believable  story,  not  high- 
volume  spam,  and  people  will  act  on  it  by 
clicking  a  link  or  opening  a  file  attached  to  it,” 
he  says.  “Then,  boom,  the  attackers  get  that 
initial  foothold  they’re  looking  for.” 

In  a  case  study  cited  by  Belani,  he  recalled 
a  very  narrow  attack  on  a  single  employee 
working  the  night  shift  monitoring  his  com¬ 
pany’s  SCADA  systems. 

The  attacker  researched  the  worker’s  back¬ 
ground  on  the  Internet  and  used  the  fact  that 
he  had  four  children  to  craft  a  bogus  email 
from  the  company’s  HR  department  with  a 
special  health  insurance  offer  for  families  with 
three  or  more  kids.  The  employee  clicked  a 
malicious  link  in  the  message  and  infected  his 


company’s  network  with  malware. 

“Engineers  are  pretty  vulnerable  to  phish¬ 
ing  attacks,”  says  Tyler  Klinger,  a  researcher 
with  Critical  Intelligence. 

He  recalled  an  experiment  he  conducted 
with  several  companies  on  engineers  and  oth¬ 
ers  with  access  to  SCADA  systems  in  which  26 
percent  of  the  spear  phishing  attacks  were 
successful. 

Success  means  that  the  target  clicked  on 
a  malicious  link  in  the  phishing  mail.  Klinger’s 
experiment  ended  with  those  clicks.  In  real 
life,  those  clicks  would  just  be  the  beginning 
of  the  story  and  would  not  necessarily  end  in 
success  for  the  attacker. 

“If  it’s  a  common  Joe  or  script  kiddie,  a 
company’s  [intrusion-detection  systems]  will 
probably  catch  the  attack,”  Klinger  says.  “If 
they’re  using  a  Java  zero-day  or  something  like 
that,  there  would  be  no  defense  against  it.” 

In  addition,  phishing  attacks  are  aimed 
at  a  target’s  email,  which  is  usually  located 
on  a  company’s  IT  network.  Companies  with 
SCADA  systems  typically  segregate  them  from 
their  IT  networks  with  an  “air  gap.” 

That  air  gap  is  designed  to  insulate  the 
SCADA  systems  from  the  kinds  of  infections 
perpetrated  by  spear  phishing  attacks.  “Air 
gaps  are  a  mess  these  days,”  Klinger  says. 
“Stuxnet  taught  us  that.” 

“Once  you’re  in  an  engineer's  email,  it’s 
just  a  matter  of  cross-contamination,”  he 
added.  “Eventually  an  engineer  is  going  to 


have  to  access  the  Internet  to  update  some¬ 
thing  on  the  SCADA,  and  that’s  when  you  get 
cross-contamination.” 

Phishing  attacks  on  SCADA  systems  are 
likely  rare,  says  Raj  Samani,  vice  president  and 
CTO  of  McAfee’s  EMEA. 

“I  would  anticipate  that  the  majority  of 
spear  phishing  attacks  against  employees 
would  be  focused  against  the  IT  network,” 
Samani  says.  “The  espionage  attacks  on  IT 
systems  would  dwarf  those  against  SCADA 
equipment.” 

Still,  the  attacks  are  happening.  “These 
are  very  targeted  attacks  and  not  something 
widely  publicized,”  says  Dave  Jevans,  chair¬ 
man  and  CTO  of  Marble  Security  and  chair¬ 
man  of  the  Anti-Phishing  Work  Group. 

Jevans  acknowledged,  though,  that  most 
SCADA  attacks  involve  surveillance  of  the 
systems  and  not  infection  of  them.  “They’re 
looking  for  how  it  works,  can  a  backdoor  be 
maintained  into  the  system  so  they  can  use  it 
in  the  future.” 

“Most  of  those  SCADA  systems  have  no 
real  security,”  Jevans  says.  “They  rely  on  not 
being  directly  connected  to  the  Internet,  but 
there’s  always  some  Internet  connection 
somewhere.” 

Some  companies  even  still  have  dial-in 
numbers  for  connecting  to  their  systems  with 
a  modem.  "Their  security  on  that  system 
is,  ‘Don’t  tell  anybody  the  phone  number,"’ 
Jevans  says.  -John  Mello 


18  www.csoonline.com  November  2013 


Brains, 
and  beauty 

Intelligent,  stylish  access 
control  with  WiFi 


It's  love  at  first  sight  with  the  INI  20  WiFi  lock  from  ASSA  ABLOY  Group  brands 
CORBIN  RUSSWIN  and  SARGENT.  Facility  managers  are  fans  of  how  it  reduces 
installation  time  and  lets  them  add  access  control  at  a  fraction  of  the  cost. 
Architects  like  having  a  variety  of  finishes  and  levers  to  match  any  environment 
seamlessly.  IT  executives  appreciate  its  compatibility  with  existing  and  evolving 
WiFi  systems  and  standards.  Looking  to  settle  down  with  a  security  solution? 
The  INtelligent,  INnovative  and  INspiring  INI  20  could  be  The  One. 


Intelligent0penings.com/IN1 20 


6  Tools  No  Security  Awareness 
Program  Can  Succeed  Without 

Computer-based  training  and  phishing  exercises  alone  aren’t  enough  to  educate  employees.  To  be  effective, 
your  awareness  program  has  to  start  with  these  six  must-haves,  by  ira  winkler  and  samantha  manke 


OUR  PREVIOUS  ARTICLE  ABOUT  SE- 
curity  awareness  program  failures  caused 
some  controversy  (see  “What  Makes  an 
Awareness  Program  Work,”  September  1, 
2013).  We  stated  that  one  reason  programs 
fail  is  that  they  rely  on  a  single  component¬ 
phishing  exercises  or  computer-based  training 
(CBT),  for  example-and  treat  that  one  ele¬ 


ment  as  the  beginning  and  the  end  of  security 
awareness  efforts.  This  got  people  asking 
what  else  organizations  should  do  to  build 
an  effective  program  that  creates  the  desired 
behavior  changes. 

The  first  thing  to  do  is  understand  impor¬ 
tance  the  end  of  the  previous  sentence.  Secu¬ 
rity  awareness  programs  should  aim  to  create 


behavior  change.  Admittedly,  phishing  simu¬ 
lations  can  create  what  is  known  as  a  teach¬ 
able  moment  and  can  have  a  lasting  impact, 
but  they  only  address  a  single  awareness  con¬ 
cern.  CBT  only  requires  participants  to  watch 
a  single  video,  and  as  any  armchair  advertis¬ 
ing  expert  will  tell  you,  it  takes  constant  rein¬ 
forcement  to  get  a  message  to  sink  in. 


20  www.csoonline.com  November  2013 


Shutterstock 


So  how  do  you  make  people  get  the 
message?  Research  shows  that  you  need 
to  present  the  information  on  at  least  three 
occasions-ideally  in  multiple  formats,  be¬ 
cause  everyone  learns  differently.  To  create 
a  successful  security  awareness  program, 
you  should  therefore  use  as  many  formats 
as  possible.  This  article  identifies  categories  of 
formats  to  consider  incorporating  into 
your  programs. 

Collateral.  Collateral  is  a  broad  term 
for  internally  distributed  materials,  things  like 
newsletters,  blogs  and  other  internal  com¬ 
munications.  These  tools  serve  as  a  simple 
reminder  to  your  users  that  security  is  impor¬ 
tant,  which  gives  you  an  opportunity  to  edu¬ 
cate  them  once  you  have  their  attention. 

Try  to  keep  these  written  communica¬ 
tions  bite-sized,  but  include  a  link  back  to  a 
lengthier  article  in  case  readers  want  more 
information.  Work  within  acceptable  corpo¬ 
rate  guidelines,  but  be  aware  of  limitations.  If 
newsletters  are  the  only  way,  still  go  for  it,  but 
try  to  appeal  to  different  demographics. 

For  example,  while  older  people  tend  to 
respond  to  traditional  newsletters,  millennials 
might  respond  better  to  a  blog  or  Twitter- 
style  updates.  Also  consider  the  possibility 
that  some  media  types  might  be  too  con¬ 
gested.  For  example,  many  employees  might 
delete  newsletters  unread  out  of  habit,  so 
that  might  not  be  the  best  choice  of  medium 
for  your  security  awareness  program. 

Whichever  formats  you  choose,  make  sure 
you  set  up  your  process  to  enable  you  to  cap¬ 
ture  metrics  on  readership  and  click-throughs. 
Metrics  will  allow  you  to  determine  where  to 
focus  future  efforts. 

Posters.  Posters  are  a  tried-and-true 
method  of  raising  awareness.  While  some 
people  believe  they  are  old-fashioned  and 
outdated,  they  can  be  very  effective  when 
they  are  well  designed.  The  Smokey  the  Bear 
and  the  now-ubiquitous  “See  something,  say 
something"  campaigns  are  testaments  to  the 
effectiveness  of  posters. 

If  you  lack  the  skills  to  come  up  with  a 
catchy  tagline  and  your  drawing  skills  are 
limited  to  stick  figures,  it’s  OK  to  reach  out  to 
your  internal  marketing  team  or  contract  a 


graphic  designer.  This  way  you  can  ensure  the 
style  of  poster  and  messaging  matches  your 
corporate  culture. 

Also  consider  including  a  QR  code  that  will 
bring  users  back  to  your  internal  knowledge 
base,  if  you  have  one.  This  will  accomplish 
two  things:  It  will  give  your  employees  more 
information  on  the  given  topic,  and  it  will 
collect  metrics  on  how  many  employees  are 
reading  your  poster  and  looking  for  more 
information. 

Lastly,  make  sure  your  posters  are  hung  in 
high-traffic  areas  for  maximum  visibility.  You 
don’t  want  to  place  them  where  they  become 
background  noise. 

Computer-based  training.  CBT 

is  the  most  common  component  of  security 
awareness  programs,  as  it  is  the  most  widely 
accepted  method  of  achieving  compliance. 

But  in  this  case,  people  confuse  security  train¬ 
ing  with  security  awareness.  CBT  provides  a 
fixed  body  of  knowledge  and  tests  people  to 
ensure  they’ve  retained  the  information  in 
their  short-term  memories. 

However,  relying  on  CBT  alone  as  a  security 
awareness  program  is  the  cause  of  the  bulk 
of  the  criticism  about  security  awareness. 
Despite  what  the  critics  say,  CBT  is  still  a  vital 
component-it  gives  you  an  opportunity  to 
summarize  the  most  important  lessons  you 
would  like  your  employees  to  learn. 

CBT  can  range  from  3  minutes  to  an  hour 
long  and  include  varying  degrees  of  interactiv¬ 
ity.  It  can  summarize  the  most  important  les¬ 
sons  you  would  like  your  employees  to  learn. 
Unless  the  training  modules  are  on  the  shorter 
side,  they  are  usually  limited  to  once  a  year, 
as  you  can’t  have  employees  taking  extended 
training  on  multiple  occasions.  However,  mul¬ 
tiple  short  CBT  modules  can  be  used  to  rein¬ 
force  many  concepts  throughout  the  year  and 
can  be  very  valuable. 

Events.  Well-executed  events  bring 
the  security  awareness  program-and  the 
whole  security  effort,  for  that  matter-to  life. 
Events  are  your  time  to  shine.  Be  creative, 
give  out  food  or  gifts,  and  display  security’s 
smiling  faces.  These  events  are  your  greatest 
opportunity  to  put  a  face  on  your  department 
and  stop  being  relegated  to  your  usual  status 


as  “the  man  behind  the  curtain." 

This  is  also  a  chance  to  boost  security  mo¬ 
rale  and  educate  your  users.  These  events  are 
most  frequently  held  during  Computer  Secu¬ 
rity  Awareness  Month  in  October,  but  they  can 
be  held  any  time  of  the  year. 

Many  companies  set  up  a  booth  with  some 
sort  of  game.  Other  popular  events  include 
bringing  in  a  speaker  or  hosting  a  demonstra¬ 
tion.  You  can  show  movies  with  a  security 
theme.  The  sky,  or  whatever  your  budget  and 
upper  management  dictate,  is  the  limit.  These 
events  also  provide  an  opportunity  to  gather 
metrics  on  how  many  employees  stop  by. 

Lunch-and-learns  are  one  example  of 
ongoing  events.  In  this  case,  you  hold  events 
on  specified  topics  and  allow  employees  to 
voluntarily  attend.  Ideally  you  cater  to  their 
personal  interests  and  provide  lunch.  These 
events  also  provide  an  opportunity  to  partner 
with  other  departments,  such  as  marketing, 
to  get  your  message  across  more  effectively. 

Some  security  departments  hold  what  are 
called  road  shows,  where  they  run  special 
events  for  particular  departments  that  ad¬ 
dress  their  unique  security  concerns.  People 
love  to  feel  special,  and  creating  a  presenta¬ 
tion  tailored  to  them  will  help  accomplish  this. 
Interacting  with  them  in  a  smaller  group  will 
also  likely  make  a  stronger  impression  than 
leaving  them  alone  with  a  computer  screen 
during  a  CBT. 

Security  portal.  An  internal  security 
portal  serves  several  functions.  First,  it  pro¬ 
vides  a  knowledge  base  that,  while  time-con¬ 
suming  to  create  and  maintain,  can  provide 
a  huge  ROI.  These  databases  can  include 
information  on  securing  a  mobile  device,  cre¬ 
ating  a  strong  password,  and  travel  security, 
for  example,  and  they  should  also  explain 
home  and  personal  security  strategies,  such 
as  protecting  children  online  and  securing 
social  media  accounts.  If  you  provide  infor¬ 
mation  that  personally  engages  employees, 
the  behaviors  they  learn  for  use  at  home  can 
translate  into  more  secure  work  habits. 

Creating  the  knowledge  base  can  seem 
like  a  Sisyphean  task,  especially  since  it  must 
also  be  kept  up  to  date  to  reflect  changing 
technologies.  However,  the  time  investment 


November  2013  www.csoonline.com  21 


■  Lead 


is  worth  it  as  it  engages  employees  and  provides 
important  information  that  is  not  being  covered 
by  other  awareness  efforts. 

The  other  critical  element  to  include  in  a  secu¬ 
rity  portal  is  a  method  for  contacting  the  security 
staff  questions  so  users  can  report  incidents 
and  just  reach  out  with  general  questions  and 
concerns. 

Behavioral  testing  and  teach¬ 
able  moments.  Phishing,  USB  drive  drops, 
and  social  engineering  tests  require  some  care, 
but  are  important  to  do  because  they  give  your 
employees  a  teachable  moment.  The  employees 
who  aren’t  practicing  safe  security  behaviors  will 
be  identified  and  given  on-the-spot  training  to 
educate  them  about  the  risks  of  their  actions  and 
how  they  can  spot  real  attacks.  These  activities 
also  provide  what  are  usually  the  best  metrics 
you  can  collect.  If  you  can  determine  a  potential 
loss  per  incident,  with  the  right  preparation,  it  is 
the  most  effective  tool  available  for  demonstrat¬ 
ing  ROI. 

There  are  limitations  to  this  type  of  testing, 
however.  For  example,  a  common  tactic  is  to  use 
kitten  videos  or  pictures  to  get  people  to  open  up 
a  phishing  message.  If  a  person  doesn’t  like  cats, 
they  may  avoid  springing  the  trap  in  your  test,  but 
that  doesn’t  mean  that  they  are  secure  against 
other  attacks  that  might  use  other  pretexts. 

Conclusions 

Clearly,  there  are  many  potential  components 
of  an  effective  security  awareness  program,  and 
we’ve  listed  just  a  few  here.  You  should  incorpo¬ 
rate  as  many  components  or  formats  as  you  can 
so  you  offer  the  maximum  possible  variety  of 
exposures  in  as  many  formats  as  possible.  This 
provides  the  greatest  opportunity  to  reinforce  the 
desired  behaviors,  and  it  makes  it  more  likely  that 
people  will  be  addressed  using  the  formats  they 
are  most  receptive  to. 

Security  awareness  is  about  creating  a  strong 
security  culture.  Such  a  culture  saves  organiza¬ 
tions  money  by  reducing  the  number  of  security 
incidents.  That  is  not  easy  to  accomplish  and 
goes  well  beyond  having  people  watch  a  video  or 
teaching  them  not  to  open  an  email. 


■  Ira  Winkler  and  Samantha  Manke  can  be 
contacted  at  www.securementem.com. 


Building  the  InfoSec 
Team  of  Tomorrow 


A  GROWING  SKILLS  SHORTAGE  IN  I.T.  HAS  CREATED  BOTH  PROB- 
lems  and  opportunities,  which  will  result  in  the  security  team  of  tomorrow  being 
much  more  diverse.  With  that  in  mind,  EMC’s  Security  for  Business  Innovation 
Council  (SBIC)  offers  seven  recommendations  for  easing  the  transition. 

A  new  report  from  the  SBIC  examines  the  notion  of  building  the  security  team  of 
tomorrow,  as  well  as  the  reasons  for  doing  so.  Last  year,  business  leaders  learned 
the  eye-opening  fact  that  25  percent  of  mid-market  and  enterprise  organizations 
reported  a  “problematic  shortage”  of  IT  skills,  and  83  percent  of  enterprise  organi¬ 
zations  reported  it  was  difficult  to  recruit  and  hire  information  security  specialists. 

According  to  the  report,  information  security  is  no  longer  just  about  implement¬ 
ing  and  operating  security  controls.  The  mission  has  evolved  to  include  “advanced 
technical  and  business-centric  activities  such  as:  business  risk  analysis,  asset  valu¬ 
ation,  IT  supply  chain  integrity,  cyber  intelligence,  security  data  analytics,  data 
warehousing,  and  process  optimization.” 

This  mission  growth  translates  into  a  need  for  specialized  skill  sets,  but  the 
shortage  of  such  talent  makes  building  an  effective  team  a  monumental  task. 
However,  with  this  problem  comes  an  opportunity. 

“In  many  organizations,  personnel  outside  of  security  are  starting  to  realize 
that  they-not  security-own  the  risks  to  their  information  assets  and  they  need 
to  actively  partner  with  security  to  manage  those  risks,”  the  SBIC  report  states. 

“To  be  successful,  the  information  security  function  [must  be]  a  cross-orga¬ 
nizational  endeavor,  with  security  processes  deeply  embedded  into  business 
processes.” 

In  the  not-so-distant  future,  the  security  team  of  tomorrow  will  include  person¬ 
nel  from  IT,  business  units  and  departments  throughout  the  organization  including 


22  www.csoonline.com  NOVEMBER  2013 


Shutterstock 


legal,  procurement  and  marketing.  The  core  security  team,  which  is  what  exists 
today,  will  work  with  the  others  to  coordinate  the  overall  efforts  while  focusing 
their  energies  on  tasks  that  require  specialized  knowledge  or  centralization. 

“The  core  security  team’s  expertise  should  be  primarily  focused  on  delivering 
consulting,  providing  direction,  driving  strategy,  identifying  and  explaining  risks 
to  the  business,  understanding  threats  and  moving  the  organization  forward-not 
be  encumbered  by  the  day-to-day  routine  operational  activities,”  says  Bob  Rodger, 
group  head  of  information  security  for  HSBC  Holdings. 

The  SBIC  offers  seven  recommendations  designed  to  help  organizations  build 
their  extended  security  team  over  time: 

1.  Redefine  and  strengthen  core  competencies:  Focus  the  core 
team  on  increasing  proficiency  in  four  main  areas:  cyber-risk-intelligence  and 
security-data  analytics,  security-data  management,  risk  consultancy,  and  controls 
design  and  assurance. 

2.  Delegate  routine  operations:  Allocate  repeatable,  well-established 
security  processes  to  IT,  business  units  or  external  service  providers. 

3.  Borrow  or  rent  experts:  For  particular  specializations,  augment  the 
core  team  with  experts  from  within  and  outside  the  organization. 

4.  Lead  risk  owners  in  risk  management:  Partner  with  the  business 
in  managing  cybersecurity  risks  and  coordinate  a  consistent  approach.  Make  it 
easy  for  the  business  and  make  them  accountable. 

5.  Hire  process  optimization  specialists:  Have  people  on  the  team 
with  experience  or  certifications  in  quality,  project  or  program  management,  pro¬ 
cess  optimization,  and  service  delivery. 

6.  Build  key  relationships:  Be  well  positioned  to  have  influence  with  key 
players,  such  as  middle  management  and  outsourced  service  providers. 

7.  Think  outside  the  box  for  future  talent:  Given  the  lack  of  readily 

available  expertise,  developing  talent  is  the  only  true  long-term  solution  for  most 
organizations.  Valuable  backgrounds  can  include  database  administration,  soft¬ 
ware  development,  business  analysis,  military  intelligence,  legal  or  privacy  officers, 
data  science,  mathematics  and  history.  -Steve  Ragan 


SOCIAL  SECURITY 


INDUSTRY  CHATTER 
ON  TWITTER 

Ignorance  is  bliss. 
Knowledge  is  icky. 

-Jennifer  Leggio 

@mediaphyter 

Lots  of  brilliant 
security  minds  are 
reverse-engineering 
software.  Why  the 
hell  don’t  Oracle 
and  Adobe  forward- 
engineer  their  sh*t? 

-Info  Security  Jerk 

@infosecjerk 

If  I  had  a  billion 
dollars?  Hmm... 

An  indulgence? 
Probably  a  plane 
or  two. 

-Reuven  Cohen 

@rUv 

Risk  aversion  and 
innovation-oil  and 
water,  it  seems.  But 
oh  well,  mediocrity  is 
always  good  enough, 
right? 

-Kevin  Behr 

@kevinbehr 


November  2013  www.csoonline.com  23 


■  Lead 


Cybersecurity  Can’t  Become  a  ‘Profession’ 
Until  It  Stops  Changing  So  Fast,  Report  Finds 


A  PANEL  FROM  THE  NATIONAL  ACAD- 
emy  of  Sciences,  commissioned  by  the  De¬ 
partment  of  Homeland  Security,  says  that 
cybersecurity  should  be  seen  as  an  occupa¬ 
tion  and  not  a  profession. 

The  report  states  that  the  cybersecurity 
field  is  too  young,  and  the  technologies  it 
uses,  and  the  threats  and  actions  it  uses  to 
counter  them,  change  too  rapidly  to  consider 
professionalization. 

Professionals,  according  to  the 
report,  usually  meet  six  criteria: 
they  have  passed  a  knowledge 
test  about  their  work,  they’ve 
completed  a  course  of  study  on 
the  intellectual  basis  of  the  pro¬ 
fession,  they  were  mentored  for 
a  time,  they  are  continuing  their 
education,  they  are  licensed  by 
a  formal  authority  and  they  face 
consequences  if  they  breach  the 
profession’s  ethical  code. 

For  some  organizations,  mak¬ 
ing  cybersecurity  a  profession 
might  provide  a  useful  degree  of 
quality  control,  the  report  says, 
but  professionalization  also 
imposes  barriers,  which  could 
prevent  talented  workers  from  entering  the 
field  at  a  time  when  “demand  for  cybersecu¬ 
rity  workers  exceeds  supply.” 

In  terms  of  quality  control,  professionaliza¬ 
tion  could  attract  workers  and  establish  long¬ 
term  paths  to  improving  the  workforce  overall, 
the  report  says,  but  its  prerequisites,  such  as 
standardized  education  or  required  certifica¬ 
tion,  have  their  disadvantages  too. 

For  example,  formal  education  or  certifica¬ 
tion  could  be  helpful  to  employers  who  are 
looking  to  evaluate  the  skills  and  knowledge 
of  a  given  applicant,  but  it  takes  time  to  de¬ 
velop  curricula  and  reach  a  consensus  on  what 
core  knowledge  and  skills  should  be  assessed 
in  order  to  award  any  such  certification.  For 


direct  examples  of  such  a  quandary,  infosec 
needs  only  to  look  at  the  existing  certification 
programs  and  the  criticisms  directed  at  certi¬ 
fications  such  as  the  CISSP. 

Once  a  certification  is  issued,  barriers  start 
to  emerge.  The  standards  used  to  award 
certifications  will  run  the  risk  of  becoming 
obsolete.  Furthermore,  workers  may  not  have 
incentives  to  update  their  skills  to  remain  cur¬ 


rent.  Again,  this  issue  is  seen  in  the  industry 
today,  as  some  professionals  chose  to  let  their 
certifications  lapse  rather  than  renew  them  or 
try  and  collect  the  required  CPE  credits. 

But  the  largest  barrier  is  that  some  of  the 
most  talented  individuals  in  cybersecurity 
today  are  self-taught,  which  means  that  re¬ 
quiring  formal  education  may  deter  potential 
employees  from  entering  the  field  when  they 
are  needed  the  most.  So  while  profession¬ 
alization  may  be  a  useful  tool  in  some  cir¬ 
cumstances,  the  report  notes,  it  shouldn’t  be 
treated  as  meaning  “better.” 

"It  would  be  very  hard  to  professionalize  the 
field  of  cybersecurity.  The  complexities  are 
such  that  the  subject-matter  experts  in  any 


particular  security  field  are  not  necessarily 
individuals  that  have  passed  exams  certifying 
their  level  of  knowledge  or  competence,  but 
rather  independent  thinkers  that  have  pieced 
together  solutions,  programs  and  assess¬ 
ments  from  years  of  hands-on  experience  and 
analysis  of  event  details,”  says  Sarah  Isaacs, 
CEO  of  Conventus,  an  IT  security  consultancy. 

“Curriculum  around  cybersecurity  today 

simply  enforces  a  baseline  knowl¬ 
edge  of  terminology,  theory  and 
protocol,  where  true  excellence 
in  the  infosec  community  pieces 
each  of  those  together  with  the 
important  addition  of  analytical 
skills — the  hardest  part  to  teach 
and  standardize,”  she  says. 

The  report  goes  on  to  point 
out  that  professionalization 
may  one  day  be  the  right  choice 
for  the  industry,  but  first  certain 
criteria  need  to  be  met.  First,  a 
cybersecurity  occupation  needs 
well-defined  characteristics,  such 
as  a  core  set  of  knowledge  and 
skills  that  remain  stable  even 
in  a  rapidly  changing  environ¬ 
ment.  Second, there  needs  to  be 
evidence  of  occupational  shortcomings  that 
could  be  remedied  by  a  professionalization 
measure.  Such  shortcomings  could  include 
skill  deficiencies,  questions  of  legitimacy  from 
among  the  current  set  of  practitioners,  or  con¬ 
cerns  about  accountability. 

“Premature  or  blanket  professionalization 
strategies  will  likely  hinder  efforts  to  build  a 
national  cybersecurity  workforce  of  sufficient 
quality,  size  and  flexibility  to  meet  the  needs 
of  this  dynamic  environment,”  concluded 
Diana  Burley,  co-chair  of  the  committee  that 
wrote  the  report  and  associate  professor  of 
human  and  organizational  learning  at  George 
Washington  University. 

-Steve  Ragan 


24  www.csoonline.com  NOVEMBER  2013 


Shutterstock 


Want  to  be 
in  the  know 
about  the 
latest 
security 
topics  and 
trends? 


Become  a  CSO 

You’ll  gain  exclusive  access  to  premium 
content  and  resources,  including: 


■  What  to  buy.  In-depth  reviews  of  security 
and  IT  solutions 

■  Executive  and  Peer  Interviews  and  Insights. 
Deep  dives  with  the  industry’s  top  thinkers 

■  Practical  tips.  How-to  articles  for  security 
and  IT  professionals 

■  Exclusive  research  &  analysis.  Incisive  reports, 
case  studies,  and  more 

■  How  to  get  ahead.  Career  advice  from  industry 
experts  and  peers 

■  Invitations  to  select  events.  Get  the  inside  edge 


To  register  for  Insider  exclusive  content  visit: 

www.csoonline.com/insiders/index 


Cover  Story 


$45  MILLION  WAS  STOLEN  FROM  ATMS  AROUND 

the  world  in  a  matter  of  hours.  In  what  a  U.S.  Attorney  called 
a  “21st-century  bank  heist,”  a  New  York-based  organized 
crime  ring  in  February  hacked  into  financial  databases,  stole 
prepaid  debit  card  data,  removed  their  withdrawal  limits, 
cloned  new  cards,  and  then  sent  “mules” 

(people  commissioned  to  conduct  the 
transactions)  to  make  4,500  ATM  with¬ 
drawals  worldwide. 

With  four  perpetrators  caught  and 
indictments  issued  in  New  York,  vic¬ 
tims  on  all  sides  of  this  crime  are  now 
left  to  sort  out  who  assumes  the  losses. 

Does  the  liability  rest  with  the  financial 
institutions  that  were  initially  hacked 
and  whose  data  was  used  to  manipulate  the  withdrawal  limits 
and  load  balances  onto  the  cards  ?  Or  are  the  financial  institu¬ 
tions  that  processed  the  transactions  responsible? 

“The  law  likes  to  impose  liability  on  the  party  that  is  best 
able  to  avoid  harm.  But  liability  is  all  over  the  place  in  the 
area  of  financial  payments  fraud,”  says  Mark  Rasch,  princi- 

26  www.csoonline.com  November  2013 


Improvements  in  payment 
protections  are  shifting  the 
liability— and  the  bill— for 
fraud  to  the  least-secure 
party  By  Deb  Radcliff 


Lincoln  Agnew 


November  2013  www.csoonline.com  27 


Cover  Story 


pal  attorney  at  Rasch  Technology  and 
Cyberlaw.  “Recovering  money  from 
those  who  are  liable  is  also  difficult  and 
expensive:  You  have  to  file  the  lawsuits 
and  go  through  discovery,  which  can 
take  years.” 

As  standards  for  pattern  recognition 
and  authentication  change,  so  do  the 
legal  challenges  that  come  with  them. 
Liability  rules  are  changing  especially 
quickly  in  relation  to  card  readers,  cor¬ 
porate  accounts  and  card-not-present 
transactions. 

The  Trouble  With 
Magnetic  Stripes 

Of  these  three  areas  of 
financial  systems  fraud, 
the  most  dramatic 
changes  are  occurring 
in  card  and  card-reader 
protections  for  U.S.  mer¬ 
chants  making  trans¬ 
actions  through  ATMs 
and  other  card-reader 
systems. 

“Although  statistics 
are  hard  to  come  by,  card 
fraud  has  been  increas¬ 
ing  steadily  over  the  past 
few  years  in  the  U.S.,” 
says  Randy  Vander- 
hoof,  executive  director 
of  the  Smart  Card  Alli¬ 
ance.  “Meanwhile,  card 
fraud  has  been  decreasing  in  Europe 
and  elsewhere  where  they  are  using 
chip-enabled  EMV  smart  cards  rather 
than  mag  stripes.”  The  EMV  (EuroPay, 
MasterCard  and  Visa)  open  framework 
promotes  interoperable,  chip-enabled 
payment  cards. 

In  the  U.K. ,  where  EMV  cards  are  the 
dominant  form  of  payment,  counterfeit 
card  fraud  dropped  by  t wo-thirds  ( from 
150  million  pounds  to  less  than  50  mil¬ 
lion  pounds)  between  2008  and  2010, 
according  to  a  2011  presentation  by  the 
Federal  Reserve  Bank  of  Kansas  City. 
And  from  January  2010  to  September 
2011,  FICO,  a  predictive-analysis  com¬ 


pany,  reported  a  60  percent  decline  in 
counterfeit  card  fraud  in  Europe,  where 
smart  cards  are  the  dominant  form  of 
payment. 

The  risk  in  using  magnetic  stripes  is 
that  the  data  they  contain  is  static  and 
includes  the  cardholder’s  name  and 
address,  the  financial  institution,  the 
16-digit  account  number,  the  expira¬ 
tion  date  and  even  the  security  confir¬ 
mation  code  on  the  back  of  the  card.  All 
of  which  means  the  information  on  the 
stripe  can  be  used  to  make  new  cards, 
explains  Vanderhoof. 

“As  long  as  you  are  able  to  read  static 


data  that  is  encoded  on  the  back  of  a 
magnetic  stripe,  criminals  can  rep¬ 
licate  that  data  onto  another  piece  of 
plastic,  just  like  the  original,”  he  says. 

This  weakness  made  it  possible  for 
the  criminals  and  their  global  network 
of  mules  to  quickly  steal  $45  million 
using  counterfeit  cards. 

In  an  EMV  chip-based  smart  pay¬ 
ment  card,  this  data  is  stored  securely 
within  the  chip,  meaning  that  only 
authorized  merchant  terminals  can 
read  the  stored  data  and  it  cannot  be 
reused  to  create  fraudulent  transac¬ 
tions,  Vanderhoof  continues. 

Instead,  each  transaction  processed 


with  an  EMV  chip  card  and  card  reader 
is  assigned  a  unique  identifier.  If  crimi¬ 
nals  do  break  the  card  or  terminal’s 
encryption  programs,  the  data  they 
see  is  good  for  one  use  only.  The  data 
stream  processed  through  the  terminal 
is  also  unique,  so  it  cannot  be  re-used 
even  if  it  is  captured  by  wireless  sniff¬ 
ers  listening  in  from  the  parking  lot,  for 
example. 

Deadlines  Meet  Resistance 

In  2011  and  2012,  MasterCard,  Visa, 
Discover  and  American  Express 
announced  they  were  accelerating 
plans  to  issue  EMV  smart 
cards  and  were  already 
using  them  for  applica¬ 
tions  such  as  college 
credit  cards  and  cards  for 
travelers  who  want  to  use 
them  internationally. 

The  next  stage  is  to  get 
the  card  readers  compli¬ 
ant  with  the  new  smart 
payment  cards,  says  John 
Graham,  vice  president 
of  global  information 
assurance  and  risk  for 
First  Data  Corporation, 
one  of  the  largest  pay¬ 
ment  processors  in  the 
U.S.,  with  infrastructure 
in  34  countries. 

“The  infrastructure 
is  there  to  support  EMV  cards,  but 
there  are  costs  to  banks  and  financial 
institutions  that  send  out  smart  cards,” 
Graham  says.  “We’ve  also  ensured  our 
back-end  systems  and  mainframes 
are  able  to  accept  these  new  forms  of 
transactions.” 

According  to  EMV  Connection, 
approximately  1.5  billion  EMV  cards 
have  been  issued  globally,  and  21.9 
million  terminals  were  accepting  EMV 
cards  as  of  Q4  of  2011.  This  represents 
44.7  percent  of  the  total  payment  cards 
in  circulation  and  76.4  percent  of  point- 
of-sale  terminals  installed  outside  the 
U.S.,  where  statistics  are  harder  to  find. 


What  Is  Corporate 
Account  Takeover 
Fraud,  Exactly? 

First  identified  in  2005,  a  corporate  account 
takeover  is  a  type  of  corporate  identity  theft 
in  which  cyber  thieves  steal  businesses’  valid 
online  banking  credentials  or  hijack  browser 
sessions  to  access  a  customer’s  account.  Once 
the  thieves  gain  access  to  an  account,  they  can 
conduct  unauthorized  transactions,  change 
contact  information,  and  gather  information  on 
the  account’s  history  to  commit  other  crimes. 


28  www.csoonline.com  NOVEMBER  2013 


“Card  fraud  has  been  increasing  steadily  over  the  past  few  years 
in  the  U.S.  Meanwhile,  card  fraud  has  been  decreasing  in  Europe 
and  elsewhere  where  they  are  using  chip-enabled 
EM  V  smart  cards  rather  than  mag  stripes.” 

-RANDY  VANDERHOOF,  EXECUTIVE  DIRECTOR  OF  THE  SMART  CARD  ALLIANCE 


Under  the  EMV  framework,  mer¬ 
chants  that  process  transactions 
through  card  readers  have  until  Octo¬ 
ber  2015  to  make  their  systems  ready  to 
handle  chip-enabled  readers. 

If  merchants  cannot  process  EMV 
payment  cards  and  they  are  defrauded 
by  counterfeit  data  in  magnetic-stripe 
cards,  liability  for  losses  will  begin 
to  shift  to  the  merchants  that  have 
not  upgraded  payment  card  readers, 
according  to  Vanderhoof.  Likewise,  if 
merchants  can  process  EMV  payment 
cards  and  the  card  issuer  is  still  allow¬ 
ing  its  customer  to  use  a  non-EMV 
card,  that  issuer  will  begin  to  assume 
the  liability  for  fraudulent  transactions. 

While  large  merchants  stand  ready  to 
meet  the  EMV  deadline,  small  mom- 
and-pop  operations  are  the  hardest  to 
convince  and  need  more  education, 
says  Graham,  adding  that,  in  some 
cases,  small  business  are  still  using  old, 
analog  lines  to  conduct  transactions. 

The  transition  to  smart  cards  will 
likely  occur  in  phases,  say  experts. 

“For  some,  it  makes  sense  to  make 
the  upgrade  to  EMV-enabled  readers 
as  soon  as  possible,  and  for  others  it 
may  be  a  phased-in  approach  that  may 
not  meet  the  EMV  deadlines  as  they 
now  stand,”  says  Steve  Kenneally,  vice 
president  for  the  center  of  regulatory 
compliance  at  the  American  Bankers 
Association. 

Kenneally  notes  that  earlier  this 
year,  the  ATM  Industry  Association 
asked  for  a  push  back  on  the  deadlines 
imposed  to  them  by  Visa.  As  a  result, 
most  of  the  brands  behind  EMV  smart 


cards  are  imposing  their  own  liability 
shift  dates  for  ATMs.  For  example, 
MasterCard  will  fully  shift  liability  for 
card  readers  onto  merchants  on  Oct.  1, 
2016,  while  Visa  will  shift  liability  to  its 
merchants  in  October  of  2017,  accord¬ 
ing  to  the  financial  publication  and 
resource  group  ATM  Marketplace. 

MasterCard  predicts  that  about  70 
percent  of  those  with  card  processing 
terminals  will  make  the  October  2015 
compliance  deadline  and  has  even 
laid  out  its  own  liability  shift  schedule, 
which  currently  extends  to  2017  for  gas 
stations.  (Gas  stations  are  one  of  the 
first  places  criminals  test  cloned  cards 
to  see  if  they  will  process,  according  to 
experts.) 

Most  guidelines  take  into  account 
that  for  some  time  during  the  transi¬ 
tion,  merchants  will  need  to  be  able 
to  process  both  mag  stripe  and  chip- 
enabled  cards.  MasterCard  provides 
incentives  for  merchants  to  become 
EMV- compliant,  such  as  audit  relief 
to  organizations  with  readers  that  can 
handle  both  forms  of  payments. 

Resources  for  upgrading  to  EMV  are 
available  through  many  organizations. 
Visa,  MasterCard  and  other  payment 
processors,  along  with  the  Smart  Card 
Alliance  and  the  PCI  Council,  provide 
guidance  for  understanding  how  PCI 
DSS  and  EMV  work  together  to  protect 
payment  card  data. 

“There’s  been  a  lot  of  work  behind 
the  scenes  to  educate  the  market  about 
the  value  of  EMV,”  says  Vanderhoof. 
“Financial  institutions,  merchants 
and  processors  all  need  to  coordinate 


around  a  common  method  of  handling 
EMV  payments.” 

EMV  chip-enabled  smart  cards  also 
allow  for  the  use  of  strong  authentica¬ 
tion  methods — using  more  than  just 
passwords  to  authenticate  transac¬ 
tions.  The  chip  supports  tokens  and 
other  forms  of  authentication,  includ¬ 
ing  offline  or  online  onetime  passwords 
or  PINs  requested  at  the  time  of  trans¬ 
action.  Increasingly,  these  challenge 
codes  are  being  sent  to  the  card  user 
on  their  cellphones,  say  Vanderhoof 
and  Graham. 

Better  Detection  Tools 
Head  Off  Fraud 

In  recent  years,  the  success  rate  for 
Automated  Clearing  House  (ACH) 
takeover  attempts  has  been  dramati¬ 
cally  reduced,  according  to  Doug  John¬ 
son,  vice  president  and  senior  adviser 
of  risk  management  and  policy  for  the 
American  Bankers  Association  (ABA), 
and  fraud  detection  and  analysis  are 
behind  the  drop. 

Since  2009,  the  ABA  has  conducted 
a  yearly  survey  of  its  members  to  com¬ 
pare  how  many  ACH  takeovers  were 
attempted  to  how  many  successful 
transactions  were  generated  from  the 
those  attempts.  In  2009,  70  percent 
of  fraudulent  transactions  went  unde¬ 
tected  and  were  processed,  while  in 
2012,  only  nine  percent  of  fraudulent 
attempts  made  it  through  to  transac¬ 
tion;  the  rest  were  blocked. 

“This  metric  tells  us  that  fraud  detec¬ 
tion  patterns  and  triggers  are  better 
tuned  to  detect  velocity  of  transactions, 


November  2013  wivw.csoonHne.com  29 


Cover  Story 


size  of  transactions  and  anomalous 
behavior  of  the  end  point  system  con¬ 
ducting  the  transaction,”  says  Johnson. 

Fraud  attempts  continue  against 
ACH  account  holders,  of  course,  but 
more  security  controls  have  been  built 
in  so  that  it’s  harder  for  criminals  to 
succeed,  agrees  Avivah  Litan,  an  ana¬ 
lyst  at  Gartner. 

For  example,  JP  Mor¬ 
gan  Corporate  and 
Investment  Banking  puts 
some  control  into  the 
hands  of  ACH  account 
holders  by  allowing  them 
to  personally  determine 
which  companies  can 
conduct  ACH  transac¬ 
tions  with  their  account, 
while  anyone  not  speci¬ 
fied  is  not  allowed  to  use 
that  ACH  account.  The 
investment  firm  also 
includes  education  on 
ACH  fraud  and  how  it  is 
conducted  from  the  vic¬ 
tim’s  own  computer. 

Who’s  Liable? 

ACH  takeover  usually 
starts  when  account 
holders  are  victims  of 
a  phishing  attack  that 
tricks  them  into  install¬ 
ing  malware  on  their 
computers,  or  victims 
accidentally  download 
malware  from  an  infected 
or  malicious  website. 

Once  the  ACH  transac¬ 
tion  is  initiated,  a  crimi¬ 
nal  can  check  the  balance 
and  initiate  transfers 
without  being  seen  by  the 
system  operator,  explains  Rasch. 

Each  party  in  this  case  was  a  victim, 
including  the  client  that  was  phished, 
the  back-end  financial  institution 
that  sent  the  funds,  and  the  processor 
between  the  two  parties  that  negoti¬ 
ated  the  transaction. 


Now,  each  party  is  finding  that  then- 
share  of  the  liability  for  the  fraud  is 
shifting  as  the  result  of  better  security 
practices.  This  is  particularly  good 
news  for  account  holders  who  histori¬ 
cally  have  been  left  holding  the  bag 
for  transactions  not  stopped  by  their 
financial  institutions. 


As  banks  and  processors  add  more 
pattern  analysis  and  stronger  authenti¬ 
cation  measures  into  their  protections, 
these  become  “reasonable  security 
practices”  under  the  Uniform  Com¬ 
mercial  Code,  explains  Johnson.  Under 
the  code,  entities  with  reasonable 


security  practices  are  more  likely  to  be 
protected  from  liability  should  they  be 
victims  of  ACH  fraud. 

This  shift  is  already  beginning  to  hap¬ 
pen,  as  evidenced  by  the  fact  that  ACH 
fraud  victims  are  taking  their  cases  to 
court  and  account  holders  are  winning 
judgments,  says  Gartner’s  Litan. 

For  example,  in  July 
of  2012,  a  first  circuit 
court  overturned  a  2011 
judgment  in  favor  of  the 
bank  that  allowed  nearly 
$600,000  in  unusual  and 
fraudulent  transactions 
to  process.  In  the  suit, 
Patco,  the  construction 
company  victimized  by 
the  fraud,  claims  that  the 
bank  was  not  in  compli¬ 
ance  with  the  Uniform 
Commercial  Code  for 
reasonable  security,  and 
in  particular  it  failed  to 
meet  the  Federal  Finan¬ 
cial  Institutions  Exami¬ 
nation  Council’s  (FFIEC ) 
authentication  guidance 
for  online  banking. 

Under  FFIEC  guide¬ 
lines,  authentication 
measures  at  banks 
should  include  strong 
pattern  recognition  and 
pattern  matching  tools. 
Most  of  these  points 
were  spelled  out  in  the 
contract  between  Patco 
and  the  bank,  yet  the 
bank  failed  to  challenge 
the  six  unusual  transfers 
that  resulted  in  the  fraud. 

“By  contract,  the  cus¬ 
tomer  of  the  ACH  pro¬ 
cessor  and  the  bank  agree  to  a  set  of 
commercially  reasonable  standards 
that  dictates  what  happens  if  a  cus¬ 
tomer  suffers  losses  and  standards 
weren’t  adhered  to,”  Johnson  says. 
‘The  party  that  was  not  adhering  to 
standards  is  the  one  that  has  liability.” 


Current  EMV 
Smart  Card 
Issuers 

American  Express 
Andrews  Federal  Credit  Union 
Bank  of  America 
Chase: 

BJPMorgan  Palladium  Card 

JP  Morgan  Select  Visa  Signature  card 
Chase  Hyatt  Visa  Signature  Credit  Card 
Chase  British  Airways  Visa 
Signature  Credit  Card 
Citi: 

BCiti  Commercial  Cards 

Citi  ExecutiveSM/AAdvantage  Card 
Fifth  Third  Bank 

Jack  Henry  &  Associates  Payment 
Processing  Solutions 
PSCU  Financial  Services 
Silicon  Valley  Bank 
Star  One  Credit  Union 
State  Employees  Credit  Union 
Travelex  Cash  Passport 
United  Nations  Federal  Credit  Union 
U.S.  Bank 
Wells  Fargo 

Source:  Smart  Card  Alliance 


30  www.csoonline.com  NOVEMBER  2013 


“The  infrastructure  is  there  to  support  EMV  cards, 

but  there  are  costs  to  banks  and 
financial  institutions  that  send  out  smart  cards.” 

-JOHN  GRAHAM,  VP  OF  GLOBAL  INFORMATION  ASSURANCE  AND  RISK,  FIRST  DATA  CORPORATION 


Remote  Transactions  Require 
New  Security  Solutions 

As  card-present  payment  systems 
get  more  secure  due  to  the  growing 
acceptance  of  EMV  payment  cards, 
the  concern  now  is  that  more  fraud 
will  focus  on  card-not-present  transac¬ 
tions  such  as  online  orders,  says  Jeremy 
Grant,  senior  executive  adviser  for  the 
National  Strategy  for  Trusted  Identi¬ 
ties  in  Cyberspace  (NSTIC). 

Already,  this  shift  appears  to  be  hap¬ 
pening.  FICO  reported  in  2012  that 
fraud  losses  in  card-not-present  envi¬ 
ronments  (Internet,  phone  and  mail 
order)  increased  at  twice  the  rate  of 
counterfeit  card  fraud. 

This  means  that,  in  addition  to  fraud- 
pattern  matching,  the  industry  needs 
to  standardize  on  stronger  identity  and 
authentication  methods,  at  least  for 
online  transactions,  Grant  says. 

“Our  area  of  concern  is  about  the  user 
signing  on  to  conduct  the  transaction,” 
Grant  says.  “If  you  look  at  the  Verizon 
Data  Breach  Investigations  report, 
most  breaches  start  with  the  exploita¬ 
tion  of  a  username  and  password.” 

Operating  out  of  the  Commerce 
Department,  NSTIC’s  mission  is 
to  enable  more  online  transactions 
through  a  common  identity  framework 
that  can  be  leveraged  by  business  and 
consumers.  In  this  framework,  con¬ 
sumers  and  their  places  of  business  can 
chose  from  a  variety  of  authentication 
credentials  that  will  function  across  an 
“ecosystem”  to  supplement  passwords. 

“We  feel  this  would  help  address  the 
risk  in  card-not-present  fraud,  but  also 
it  would  be  more  convenient  for  con¬ 
sumers,  who  won’t  have  to  remember 


dozens  of  different  passwords  and  keep 
updating  and  changing  them,”  Grant 
explains. 

NSTIC  is  working  with  privacy  orga¬ 
nizations  and  private-sector  groups 
to  develop  standards  and  overcome 
issues  of  user  privacy  and  interopera¬ 
bility  and  encryption  key  management , 
for  example. 

Widespread  Access  to 
Multi-Factor  Authentication 

In  this  identity  ecosystem,  could  the 
chip  on  the  smart  payment  cards  sup¬ 
port  multi-factor  authentication  that 
criminals  couldn’t  meddle  with?  Pos¬ 
sibly,  says  Grant. 

Consumers  will  have  the  choice  of 
using  whatever  kind  of  multi-factor 
authentication  they  find  most  con¬ 
venient,  as  several  types  will  be  sup¬ 
ported  by  payment  processors  in  the 
ecosystem. 

According  to  the  Smart  Card  Alli¬ 
ance,  MasterCard  has  enacted  a  Chip 
Authentication  Program  and  Visa  has 
set  up  a  Dynamic  Passcode  Authentica¬ 
tion  system  to  allow  EMV  smart  cards 


to  be  used  to  authenticate  users  during 
online  transactions. 

Under  these  programs,  the  user 
would  insert  a  card  into  a  handheld 
reader  attached  to  their  phone  or  com¬ 
puter  and  enter  a  PIN.  Then  the  reader 
displays  a  one-time  password  that  the 
user  enters  to  complete  the  transaction. 

Bob  Russo,  general  manager  of  PCI 
SSC  New  York,  thinks  it  will  be  some 
time  before  we  see  EMV  chips  becom¬ 
ing  a  dominant  form  of  online  authenti¬ 
cation  because  most  people  don’t  want 
to  have  to  attach  readers  to  their  com¬ 
puters  and  phones. 

However,  30  million  Europeans 
already  use  EMV  cards  and  readers 
for  Internet  transactions,  according  to 
the  Smart  Card  Alliance.  And  millions 
of  small  business  owners  are  using 
attachable  smart  card  readers  on  their 
smartphones  to  conduct  business. 

Regardless  of  what  forms  of  authen¬ 
tication  are  used,  the  improvements 
made  to  protect  all  forms  of  payment 
fraud,  including  those  changes  to  the 
PCI  DSS  rules  for  protecting  card¬ 
holder  data  all  along  the  transaction 
chain,  are  reducing  fraud.  In  2012,  pay¬ 
ment  fraud  was  12  percent  lower  than 
in  2009,  according  to  the  2013  AFP 
Payments  Fraud  and  Control  Survey 
conducted  by  JP  Morgan. 

“EMV  and  PCI  standards  make  for 
a  powerful  combination,”  Russo  says. 
“Financial  organizations  are  seeing 
fewer  large-scale  breaches  today,  and 
that’s  proof  our  efforts  are  working.” 


■  Deb  Radcliff  is  a  freelance  writer  based 
in  California  and  is  also  chief  of  the  SANS 
Analyst  Program. 


November  2013  www.csoonline.com  31 


6  Ways  Kids  Shirk  Homework  in  the  Digital  Age 

Now  that  the  school  year  is  in  full  swing,  students  are  often  submitting  homework 
electronically  through  school  portals  or  by  emailing  teachers  directly.  Brian  Wrozek  says  it’s 
time  to  update  that  old  “the  dog  ate  my  homework”  excuse  to  one  more  appropriate  for  the 
digital  age.  Choose  your  favorite  to  avoid  those  pesky  point  deductions  for  late  work. 


IThe  Internet  connection  at  my  house  was  down 
all  weekend  because  we  were  DOS’ed  after  my 
brother  accidentally  slayed  his  Undead  Ore  Warlord  Druid 
guild  leader  right  before  reaching  level  80  in  WoW. 

21  am  still  waiting  for  my  mom  to  wire  the 
100,000  rubles  that  I  owe  somebody 
in  Russia  to  get  the  password  to  decrypt  all 
the  Microsoft  files  on  my  laptop  after  picking 
up  a  virus  downloading  MP3s  from  the  www. 
ofcoursetheyarefreeortheywouldnotbeonthelnternet. 
mp3.com.ru  website  recommended  by  my  now-ex  friend. 


3  All  the  computers  in  our  house  are  still  officially  on 
litigation  hold  after  an  unfortunate  mix-up  that 
occurred  while  my  dad  was  assisting  the  authorities 
with  operation  Yellow  Cake,  which  was  aimed  to  nab 
an  international  ring  of  Twinkie  counterfeiters  that  had 
sprung  up  in  the  wake  of  Hostess’s  business  trouble. 

41  was  busy  shopping  since  I’m  planning  to 
drop  out  of  school  anyway  once  the  Prince  of 
Nigeria  rewards  me  with  $10  million  after  I  open  up 
an  account  with  a  minimum  balance  of  $1,000  in  the 
Central  Bank  of  Nigeria  to  help  him  unfreeze  money 
from  the  Nigerian  National  Petroleum  Company. 


51  tried  to  submit  my  dissertation  on  the  parallels  of  the 
fall  of  the  Roman  Empire  and  the  declining  viewer  ratings 
of  Keeping  Up  With  the  Kardashians  using  Twitter,  but  I  didn’t 
know  that  they  limit  the  number  of  tweets  to  1,000  a  day. 

What  do  you  mean  you  didn’t  receive  my 
assignment?  Have  you  checked  your  spam 

filter  quarantine  folder?  Because 
I’m  sure  I  sent  it  to  you  last  night. 

Brian  Wrozek  is  the  IT  security  and 
privacy  director  for  Texas  Instruments. 
He  can  be  reached  at  bwrozek@ti.com, 
or  follow  him  on  Twitter:  @bdwtexas. 


32  www.c800nline.com  November  2013 


Thinkstock 


Stay  Alert  with 

the  CSO  Daily  Dashboard 


The  world  of  security  is  never 
constant.  As  a  security  executive 
you  need  to  proactively  prepare 
for,  identify  and  respond  to 
security  incidents,  while  keeping 
a  pulse  on  emerging  situations. 
The  CSO  Daily  Dashboard 
provides  security  threat  alerts 
in  an  at-a-glance  format, 
creating  your  own  personal 
operations  center. 


Dashboard  alert 
topics  include: 

■  Security  News 

■  IT  Vulnerabilities 

■  Disaster  Declarations 

■  Weather 

■  World  Health  News 

And  More... 


To  access  the  tool  that  your  peers  already  rely  on, 
visit  the  CSO  Daily  Dashboard  at:  http://dashboard.csoonline.com 

CSO 


Intellectuals  solve  problems,  geniuses  pre 


